Environment
- App Control Agent: 8.8.0 and Higher
- App Control Console: All Supported Versions
- Microsoft Windows: All Supported Versions
Symptoms
High resource usage or performance degradation due to parity.exe reading large files.
Cause
As of the 8.8.0 Agent, Yara scans now occur on large files. Performance issues may be encountered on large files (such as vmdk, vhd, etc) during this analysis.
Resolution
Beginning with version 8.9.0 a new Agent Config (max_analysis_size_mb) is now available. This property will skip analysis until files over the specified size (in MiB) are executed.
- Log in to the Console and navigate to https://ServerAddress/agent_config.php
- If one does not exist already, add a new Agent Config using the max_analysis_size_mb value to target the impacted endpoint, Policy, Platform, or combination of those options. Example:
Name: Skip Large File Analysis Until Execution
Host ID: 0
Value: max_analysis_size_mb=VALUE
Platform: Windows
Status: Enabled
Create For: Selected Policies > Virtual Machines
- If the issue persists, open a case with Carbon Black Technical Support.
Additional Notes
- The premise of this configuration is that the impacted large files (e.g. .vhd, .bak, etc.) are generally not executed and analysis would be skipped.
- Support for the max_analysis_size_mb Agent Config was introduced in the 8.9 Agent.
- Agent 8.8 and earlier will not support this Agent Config until upgraded to a later version.
- If necessary, follow the steps in this article to implement a Performance Optimization rule for the impacted files.
Related Content
