Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How To Collect Agent Performance Logs on Windows (Locally)

App Control: How To Collect Agent Performance Logs on Windows (Locally)

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

To collect diagnostics for cases involving performance impacts.

Resolution

Open a case with Carbon Black Support and the provide the following:
  1. Relevant Information:
    • Date/Time performance issue started occurring (did any change precede the start of it?)
    • Actions being performed when performance is degraded
    • Is the performance associated with a specific application?
      • Application name
      • Does the vendor of the application have a recommended exclusion list and has it been implemented?
      • Any paths/processes known to be associated with the application
    • Are there any blocks seen locally or within the App Control console during the performance issue?
    • Are results the same if the Agent is stopped and unloaded?
  2. Agent Logs
    1. Open an administrative command prompt and execute the following commands:
      cd "C:\Program Files (x86)\Bit9\Parity Agent"
      dascli password GlobalCLIPassword
      dascli setconfigprop max_rolling_trace_size_mb=0
      dascli resetcounters
      dascli flushlogs
      dascli tamperprotect 0
      dascli debuglevel 6
      dascli kerneltrace 4 -1
      dascli nettrace 1
      dascli diagnostics +performance
    2. Start a Procmon capture
    3. Collect 10-15 mins of data during the ongoing performance issues.
    4. Stop the Procmon capture and save "All Events" as a PML file.
    5. In the administrative command prompt execute the following commands to capture and reduce the logging levels to normal:
      dascli capture "%userprofile%\Desktop\%computername%-Performance.zip"
      dascli password GlobalCLIPassword
      dascli setconfigprop max_rolling_trace_size_mb=50
      dascli debuglevel 0
      dascli kerneltrace 2
      dascli nettrace 0
      dascli diagnostics -performance
      dascli tamperprotect 1
    6. (Optionally) For some performance issues a WPR capture will be needed, steps to collect it can be found HERE
    7. Please zip all files and upload them to the Vault.
    8. Once the upload completes, please comment on the support case that the data is available for review (along with all relevant information).

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
50% helpful (2/4)
Article Information
Author:
Creation Date:
‎01-11-2019
Views:
15297
Contributors