Performance Issues With VMs and Other Large Files on Agent 8.8 or Higher
search cancel

Performance Issues With VMs and Other Large Files on Agent 8.8 or Higher

book

Article ID: 286748

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • High resource usage or performance degradation due to parity.exe reading large files.
  • May experience Windows "File In Use" messages, similar to: 
    The action can't be completed because the file is open in Carbon Black App Control Agent

Environment

  • App Control Agent: 8.8.0 and Higher
  • App Control Console: All Supported Versions
  • Microsoft Windows: All Supported Versions

Cause

As of the 8.8.0 Agent, Yara scans now occur on large files. Performance issues may be encountered on large files (such as vmdk, vhd, etc) during this analysis.

Resolution

Option A: Create a Performance Optimization Rule

The best way to handle this is to prevent the Agent from analyzing these files when they are written. In many situations these files never execute, and a Performance Optimization Rule would be the most efficient way to handle this.

  1. Log in to the Console and navigate to Rules > Software Rules > Custom > Add Custom Rule.
  2. Use the following as an example:
    • Rule Name: Performance - VHD Files (or something memorable)
    • Description: Skip analysis on write operations
    • Status: Enabled
    • Platform: Windows
    • Rule Type: Performance Optimization
    • Path or File: Specific Path: 
      *\Example\VM Storage\*.vhd
    • Process: Any Process
    • Policies: Relevant Policies
  3. Save the changes and verify the Agent shows as Connected & Up to Date in Assets > Computers.
  4. In some instances the machine may need to be rebooted or the service in question may need to fully terminate for the changes to take place.

If the issue persists, it may be necessary to create the Agent Config below.

Option B: Adjust max_analysis_size_mb

Warning! Creation of this Agent Config could create negative impacts to performance.
This Agent Config will skip analysis until execution, and the Agent will stall operations in order to complete the analysis.


The Performance Optimization Rule above is the preferred option.
  1. Verify the Agent is on version 8.9.0 or higher.
    • Beginning with Agent 8.9.0, the Agent Config max_analysis_size_mb can be set.
    • This property will skip analysis until files over the specified size (in MiB) are executed.
    • This will cause analysis in-line when executed, and will negatively impact performance, or could cause unexpected blocks.
  2. Log in to the Console and navigate to https://ServerAddress/agent_config.php
  3. Add a Filter > Value > contains: max_analysis_size_mb
  4. If one does not exist already, add a new Agent Config to target the impacted endpoint, Policy, Platform, or combination of those options. Example:
    • Name: Skip Large File Analysis Until Execution
    • Host ID: 0 (or specify a Host)
    • Value:
       
      max_analysis_size_mb=<VALUE>
    • Platform: Windows
    • Status: Enabled
    • Create For: Relevant Policies
  5. Save the changes and verify the Agent shows as Connected & Up to Date in Assets > Computers.
  6. In some instances the machine may need to be rebooted or the service in question may need to fully terminate for the changes to take place.

If the issue persists, open a case with Support.

Additional Information

The premise of max_analysis_size_mb is that the impacted large files (e.g. .vhd, .bak, etc.) are generally not executed and analysis would be skipped without impact to performance or security.

Powered by Wolken Software