Linux Security real-time protection causes performance issue - F-Secure Community
<main> <article class="userContent"> <p> </p>Linux Security real-time protection causes performance issue <p>Further analysis is needed to pin-point the problematic file and/or process that is causing the performance issue. By setting fsoasd (real-time inspection process) log to debug mode, it is possible to record all accesses that perform real-time virus and integrity checking. Follow the steps below: </p> <ol><li> We recommend deleting the existing fsoasd.log file so a fresh log file is created for easier analysis. Execute the following command: <pre class="code codeBlock" spellcheck="false"># /etc/init.d/fsma stop # rm /var/opt/f-secure/fsav/fsoasd.log # /etc/init.d/fsma start</pre> </li> <li> Set the fsoasd log to debug mode: <pre class="code codeBlock" spellcheck="false"># /opt/f-secure/fsma/bin/chtest s 45.1.100.11 9</pre> </li> <li> You may now reproduce the problem, or simply wait 10-30 minutes to gather enough debug information. </li> <li> Reset the fsoasd log output back to normal mode: <pre class="code codeBlock" spellcheck="false"># /opt/f-secure/fsma/bin/chtest s 45.1.100.11 6</pre> </li> <li> Review the log file which is output to <code class="code codeInline" spellcheck="false">/var/opt/f-secure/fsav/fsoasd.log</code>. </li> </ol><strong>Understanding the logs</strong> <p>You can check the file access status by checking lines containing the string <code class="code codeInline" spellcheck="false">BOTTOMHALF</code>. </p> <pre class="code codeBlock" spellcheck="false">1198657751 | DEBUG | 0xb7f23bb0 | fsoasd / tophalf.c: 0240 | BOTTOMHALF req: event = 0x4, flags (not set) = 0x0, file = / bin / sleep, process = / bin / tcsh pid = 28360</pre> <p>The numbers on the left indicates the epoch time (January 1, 1970). The items after <code class="code codeInline" spellcheck="false">BOTTOMHALF</code> are as follows: </p> <p><code class="code codeInline" spellcheck="false">[event]</code> </p> <div> <ul><li><code class="code codeInline" spellcheck="false">0x0</code>: OPEN (Open file) </li> <li><code class="code codeInline" spellcheck="false">0x2</code>: CLOSE (Close the file) </li> <li><code class="code codeInline" spellcheck="false">0x10</code>: CLOSE (Close the file after change) </li> <li><code class="code codeInline" spellcheck="false">0x4</code>: EXEC (Execute the file) </li> <li><code class="code codeInline" spellcheck="false">0x80</code>: Load module </li> </ul></div> <p><code class="code codeInline" spellcheck="false">[flags]</code> open Flags argument </p> <p><code class="code codeInline" spellcheck="false">[file]</code> Name of the file to access </p> <p><code class="code codeInline" spellcheck="false">[process]</code> Name of the process that performed the file operation </p> <p><code class="code codeInline" spellcheck="false">[pid]</code> Process identification number of the process that performed the filed operation </p> <p><strong>Performance improvement tips</strong> </p> <p>Based on your debug log, you can identify ways to improve system performance. </p> <div> <ul><li>If there are many files in the same directory being accessed, there is a possibility that performance may be improved by excluding the corresponding folder from real-time protection. </li> <li>If many processes access the same process, there is a possibility that performance may be improved by registering the corresponding process in [whitelisted executable file] in real-time protection scan setting. </li> </ul></div> <br> </article> </main>