Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Performance Issues With VMs and Other Large Files on Agent 8.8 or Higher

App Control: Performance Issues With VMs and Other Large Files on Agent 8.8 or Higher

Environment

  • App Control Agent: 8.8.0 and Higher
  • App Control Console: All Supported Versions
  • Microsoft Windows: All Supported Versions

Symptoms

  • High resource usage or performance degradation due to parity.exe reading large files.
  • May experience Windows "File In Use" messages, similar to:
    The action can't be completed because the file is open in Carbon Black App Control Agent

Cause

As of the 8.8.0 Agent, Yara scans now occur on large files. Performance issues may be encountered on large files (such as vmdk, vhd, etc) during this analysis.

Resolution

The best way to handle this is to prevent the Agent from analyzing these files when they are written. In many situations these files never execute, and a Performance Optimization Rule would be the most efficient way to handle this.

Step 1: Create a Performance Optimization Rule to ignore write operations on the large files.
  1. Log in to the Console and navigate to Rules > Software Rules > Custom > Add Custom Rule.
  2. Use the following as an example:
    • Rule Name: Performance - VHD Files (or something memorable)
    • Description: Skip analysis on write operations
    • Status: Enabled
    • Platform: Windows
    • Rule Type: Performance Optimization
    • Path or File: Specific Path:
      *\Example\VM Storage\*.vhd
    • Process: Any Process
    • Policies: Relevant Policies
  3. Save the changes and verify the Agent shows as Connected & Up to Date in Assets > Computers.
  4. In some instances the machine may need to be rebooted or the service in question may need to fully terminate for the changes to take place.

Step 2: If the issue persists, it may be necessary to create the following Agent Config.
 
Warning: Creation of this Agent Config could create negative impacts to performance if these files are interesting and execute.
This Agent Config will skip analysis until execution, and the Agent will stall operations in order to complete the analysis.
The Performance Optimization Rule in Step 1 is the preferred option.
 Beginning with version 8.9.0 a new Agent Config (max_analysis_size_mb) is now available. This property will skip analysis until files over the specified size (in MiB) are executed and should be used ONLY in situations where very large files are being written that are not expected to ever execute.
  1. Log in to the Console and navigate to https://ServerAddress/agent_config.php
  2. If one does not exist already, add a new Agent Config using the max_analysis_size_mb value to target the impacted endpoint, Policy, Platform, or combination of those options. Example:
    Name: Skip Large File Analysis Until Execution
    Host ID: 0
    Value: max_analysis_size_mb=VALUE
    Platform: Windows
    Status: Enabled
    Create For: Selected Policies > Virtual Machines
  3. Save the changes and verify the Agent shows as Connected & Up to Date in Assets > Computers.
  4. In some instances the machine may need to be rebooted or the service in question may need to fully terminate for the changes to take place.
If the issue persists, open a case with Carbon Black Technical Support.

Additional Notes

  • The premise of this configuration is that the impacted large files (e.g. .vhd, .bak, etc.) are generally not executed and analysis would be skipped.
  • A better alternative to the Agent Config may be creation of a Performance Optimization Rule.
  • Support for the max_analysis_size_mb Agent Config was introduced in the 8.9.0 Agent.

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎04-20-2023
Views:
1318
Contributors