Suddenly connections to CA PAM using the CA PAM Client in Windows starts behaving very slowly, taking almost 5 minutes to access the dashboard with no apparent resource utilization in PAM and no network issues to report.

This is a sudden development with no prior changes to the environment and no modifications to the PAM infrastructure or version. The experience is random in nature and occurs on some occasions.

The  random  slowness experience while accessing PAM via Windows based PAM client is caused by Windows Defender update to version 1.421.1630.0 (and possibly also later ones).

The CA PAM Client component uses the jxbrowser Chromium browser for operation. During client startup jxbrowser verifies the integrity of the Chromium binaries used in CA PAM Client, but this operation is blocked by Windows Defender checking the same files before allowing applications to read them

After Windows Defender update 1.421.1630.0, the verification time by the Antivirus program increased to several minutes. Note that the performance degradation is only for the first time when Windows Defender scans the files. Once you let it finish, subsequent logins will not see the issue.

Two options may be considered to streamline this problem:

    1.   Add the directory with Chromium binaries to the whitelist.
    2.   Rollback the latest Windows Defender update.
    
The Broadcom Support recommendation is to add the binaries directory to the whitelist.

Please follow these steps:

    1    Locate the Chromium binaries directory at <PAM Cient Installation Dir>\temp.
    2    Go to Start → Settings → Update & Security → Windows Security → Virus & threat protection.
    3    Under Virus & threat protection settings, select Manage settings.
    4    Under Exclusions, select Add or remove exclusions.
    5    Select Add an exclusion, and then select the directory with the Chromium binaries (<PAM Cient Installation Dir>\temp).

A new version of jxbrowser has been released that avoids the Windows Defender problem. Broadcom has released patch 4.2.1.02 which resolves the issue in version CA PAM 4.2.1 and is working. A similar generic hotfix, patch 4.2.0.62, has been relased for version 4.2.0. Please note that for versions prior to 4.2.X, the previous procedure will be the only possible way of remediating the problem. 

Please note that while Windows Defender may be a locally installed application and so you may be able to change its settings on your own, some organizations have centrally managed Windows Defender policies which require changes at Group Policy or at least elevated privileges to manage exclusions or changes to local configuration.

See for instance this article by Microsoft.

In such cases you should check with your organization systems group how to implement the recommendations of the present article in your environment