Linux Security real-time protection causes performance issue
Further analysis is needed to pin-point the problematic file and/or process that is causing the performance issue. By setting fsoasd (real-time inspection process) log to debug mode, it is possible to record all accesses that perform real-time virus and integrity checking. Follow the steps below:
Understanding the logs
- We recommend deleting the existing fsoasd.log file so a fresh log file is created for easier analysis. Execute the following command:
# /etc/init.d/fsma stop # rm /var/opt/f-secure/fsav/fsoasd.log # /etc/init.d/fsma start
- Set the fsoasd log to debug mode:
# /opt/f-secure/fsma/bin/chtest s 126.96.36.199 9
- You may now reproduce the problem, or simply wait 10-30 minutes to gather enough debug information.
- Reset the fsoasd log output back to normal mode:
# /opt/f-secure/fsma/bin/chtest s 188.8.131.52 6
- Review the log file which is output to
You can check the file access status by checking lines containing the string
1198657751 | DEBUG | 0xb7f23bb0 | fsoasd / tophalf.c: 0240 | BOTTOMHALF req: event = 0x4, flags (not set) = 0x0, file = / bin / sleep, process = / bin / tcsh pid = 28360
The numbers on the left indicates the epoch time (January 1, 1970). The items after
BOTTOMHALF are as follows:
0x0: OPEN (Open file)
0x2: CLOSE (Close the file)
0x10: CLOSE (Close the file after change)
0x4: EXEC (Execute the file)
0x80: Load module
[flags] open Flags argument
[file] Name of the file to access
[process] Name of the process that performed the file operation
[pid] Process identification number of the process that performed the filed operation
Performance improvement tips
Based on your debug log, you can identify ways to improve system performance.
- If there are many files in the same directory being accessed, there is a possibility that performance may be improved by excluding the corresponding folder from real-time protection.
- If many processes access the same process, there is a possibility that performance may be improved by registering the corresponding process in [whitelisted executable file] in real-time protection scan setting.