Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CB Protection: Changing Rule Ranking Causes Temporary Loss of Rule Functionality and/or Performance Hit

CB Protection: Changing Rule Ranking Causes Temporary Loss of Rule Functionality and/or Performance Hit

Environment

CB Protection Console: 8.x

Symptoms

  • Temporary loss of Rule functionality
  • Block events
  • High Parity.exe CPU% (Particularly Effects VDI Environment))

Cause

  • When adding a new rule or, re-ordering a rule in "Rules" > "Software Rules" > "Custom", the Cb Protection server sends a delete action (via CL updates) to the agents to delete rules, before sending the new list of rules, with the new rankings
  • The new rule, rankings or changes don't take affect on the endpoint until the server sends the delete action down to the agents, followed by sending down the list of new rules, changes, rankings, etc

Resolution

It is recommend when changing rankings on rules, that smaller increments be used (e:g: Rank "1" to Rank "10", or something similar) to help prevent any issues.

Additional Notes

  • Ranking changes and the resultant rule deletion/update on the agents, is only temporary and will resume as intended, when the agent has fully synced
  • Ranking changes will have a far greater impact in a VDI Environment, as each Virtual Machine attempts to perform the same task at the same time on its Host Machine
  • Carbon Black, may, in some future release, add a warning message to the "Rules" >  "Software Rules" > "Custom" section when changing ranking on new or existing rules

Related Content


Labels (1)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-04-2020
Views:
688
Contributors