App Control: macro to a Write rule causes agents to max out the CPU
search cancel

App Control: macro to a Write rule causes agents to max out the CPU

book

Article ID: 290488

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Adding any "Cert" or "hash" macros to a Write rule causes Parity to max out the CPU resulting in unresponsive systems

Environment

  • App Control server: 8.1.8-8.6.x
  • App Control agent: All versions

Cause

Having the <SHA256> or <cert> in the target pattern of a write rule causes us to ABMiss and stall every write to check the hash to see if we should approve it. This is what is ultimately causing the performance problem. 
Write operations are evaluated before the operation actually occurs. That means, since the write hasn't been completed, the hash of the file will never match the hash they are trying to approve.

Resolution

  • Avoid adding these <cert> and <sha256> macros to a write rule.
  • On 8.7 and above server versions, when the user tries to add such a rule, a warning message will appear.