CRL Checking Timeouts Cause Performance Impacts to Bit9 Agent
Experiencing symptoms that indicate that the Bit9 Agent is having a performance problem scanning files and it's taking longer than usual
Users may experience infrequent and intermittently blocks on files that are being approved via Trusted Publishers. Files delivered to workstations which should be approved by Trusted Publisher infrequently and intermittently arrive unapproved. The initial scan against a Trusted Publisher may take much longer that expected to complete. Trusted Publisher scan events may seem to occur at a rate of one per file every 90 seconds to 3 minutes.
Running the command netstat -an | find "SYN_SENT" shows a number of Internet IP addresses. These IP addresses appear to point to companies or servers that might host a CRL.
"Max," "Total," and "Count" values from the command dascli counters | find "Cert" are extremely high, in the range of many 1000's or higher.
When you "code sign" an application, you use a "certificate." This certificate is "signed by an authority." That authority may maintain a "certificate revocation list, or 'CRL'" The list contains all certificates that have deliberately been revoked, perhaps because they were misused or stolen. Typically the CRL is hosted on the network, so for an external authority such as Versign, it is hosted out on the Internet.
The Bit9 Agent checks to see whether files are code-signed, and if so, it also checks whether the certificate is actually valid. The agent does not actually do this work itself, but rather asks the Windows CryptoAPI to do so. If the CryptoAPI finds that a signing authority hosts a CRL, it may attempt to access that CRL over the Internet. This happens directly from the host running the Bit9 Agent.
If the host running the Bit9 Agent is isolated from the Internet, this check fails. It doesn't necessarily cause a problem; the CryptoAPI still returns the answer, "VALID." However, if the way in which the firewall blocks the Internet causes the connection to timeout slowly, rather than be rejected quickly, the CryptoAPI gets stuck waiting on the timeout. Bit9 Agent waits for the CryptoAPI's result to return.
CRL check timeouts always cause a "performance impact" to the Bit9 Agent, but the impact may not necessarily be noticeable or continuous. In typical operation the delay might only occur on one or a few files, would happen relatively infrequently per computer or user, and would often be short-circuited by other approval mechanisms. However, continuous, high-volume scanning of files, could potentially make the impact visible.
1) disable CRL checking on the affected host
2) allow the host to access the Internet
3) create a proxy for these requests via the internal PKI infrastructure
The last 2 items if chosen must also be fast performing.
Information on how to disable CRL checking on Microsoft Windows is available through Microsoft's knowledgebase. Refer to your PKI infrastructure vendor for information on how to create a proxy architecture.