App Control: Agent 8.9.0 Causing Long Delays Saving Files On Network Shares
search cancel

App Control: Agent 8.9.0 Causing Long Delays Saving Files On Network Shares

book

Article ID: 288723

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • App Control Agent version 8.9.0 is installed on the file server
  • File operations to/from the file server are delayed

Environment

  • App Control Agent: 8.9.0
  • Microsoft Windows: All Supported Versions

Cause

Whenever a File Share is accessed from a remote system the new 8.9.0 Process thread user identity check detects the operation as a new user on the File Server system and triggers rule expansion and a timeout

Resolution

This issue was tracked under EP-18451 and fixed with the release of Agent version 8.9.2.

Additional Information

  • Previously the workaround was to create the following agent configuration and apply it to the file servers:
    1. Log in to the Console and navigate to https://ServerAddress/agent_config.php
    2. Use the following details:
      • Name: Temporary Config For File Servers (or something memorable)
      • Host ID: 0 (All or limit to a single File Server Host Id)
      • Value:  
        kernelCheckThreadIdentity=0
      • Platform: Windows
      • Status: Enabled
      • Create For: Select the Policy(es) Containing the File Servers
    3. Click Save.
    4. Once the agents are up to date the delays will be resolved
  • Prior to version 8.9.0 agents only checked the User identity (SID) of running processes, but not of individual process threads
  • Agent 8.9.0 adds the ability to check the User identity (SID) of a process thread which is more granular and secure
  • Whenever a File Share is accessed from a remote system the new Thread identity check detects the connection as a new user logged on the File Server system and triggers rule expansion and a timeout.
  • "kernelCheckThreadIdentity=0" will disable the new Thread identity check functionality and the agent will only do the Process identity check which is is the same behavior prior to 8.9.0
  • It is recommended to limit the config to the relevant File Servers, or Policies where the File Servers exist
Powered by Wolken Software