App Control: Performance issues with <Sha256> macro in Write Rules
book
Article ID: 289311
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Performance delays often coupled with High CPU
Extreme delay in installing updates or new software.
Environment
App Control (formerly CB Protection): All Versions
Cause
The cause of this is a <Sha256> macro being added to a Write rule. This macro should never be used in a Write type rule, as hashes cannot be gathered till after the file has been written. Meaning every write regardless of file type has to be analyzed against this rule.
Resolution
Remove or disable the Sha256 macro in the rule.
Additional Information
A code change has been created to make these types of rules impossible to create. This change as referenced as EP-5294 will be included in the release notes for the versions that have this change.