App Control: Performance issues with <Sha256> macro in Write Rules
search cancel

App Control: Performance issues with <Sha256> macro in Write Rules

book

Article ID: 289311

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Performance delays often coupled with High CPU
  • Extreme delay in installing updates or new software.

Environment

  • App Control (formerly CB Protection): All Versions

Cause

The cause of this is a <Sha256> macro being added to a Write rule. This macro should never be used in a Write type rule, as hashes cannot be gathered till after the file has been written. Meaning every write regardless of file type has to be analyzed against this rule.

Resolution

Remove or disable the Sha256 macro in the rule.

Additional Information

A code change has been created to make these types of rules impossible to create. This change as referenced as EP-5294 will be included in the release notes for the versions that have this change.

Powered by Wolken Software