App Control: macro to a Write rule causes agents to max out the CPU
book
Article ID: 290488
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
Adding any "Cert" or "hash" macros to a Write rule causes Parity to max out the CPU resulting in unresponsive systems
Environment
App Control server: 8.1.8-8.6.x
App Control agent: All versions
Cause
Having the <SHA256> or <cert> in the target pattern of a write rule causes us to ABMiss and stall every write to check the hash to see if we should approve it. This is what is ultimately causing the performance problem. Write operations are evaluated before the operation actually occurs. That means, since the write hasn't been completed, the hash of the file will never match the hash they are trying to approve.
Resolution
Avoid adding these <cert> and <sha256> macros to a write rule.
On 8.7 and above server versions, when the user tries to add such a rule, a warning message will appear.