Linux Security real-time protection causes performance issue

Linux Security real-time protection causes performance issue - F-Secure Community

Further analysis is needed to pin-point the problematic file and/or process that is causing the performance issue. By setting fsoasd (real-time inspection process) log to debug mode, it is possible to record all accesses that perform real-time virus and integrity checking. Follow the steps below:

We recommend deleting the existing fsoasd.log file so a fresh log file is created for easier analysis. Execute the following command:
```
# /etc/init.d/fsma stop # rm /var/opt/f-secure/fsav/fsoasd.log # /etc/init.d/fsma start
```

Set the fsoasd log to debug mode:

# /opt/f-secure/fsma/bin/chtest s 45.1.100.11 9

You may now reproduce the problem, or simply wait 10-30 minutes to gather enough debug information.
Reset the fsoasd log output back to normal mode:
```
# /opt/f-secure/fsma/bin/chtest s 45.1.100.11 6
```
Review the log file which is output to /var/opt/f-secure/fsav/fsoasd.log.

Understanding the logs

You can check the file access status by checking lines containing the string BOTTOMHALF.

1198657751 | DEBUG | 0xb7f23bb0 | fsoasd / tophalf.c: 0240 | BOTTOMHALF req: event = 0x4, flags (not set) = 0x0, file = / bin / sleep, process = / bin / tcsh pid = 28360

The numbers on the left indicates the epoch time (January 1, 1970). The items after BOTTOMHALF are as follows:

[event]

0x0: OPEN (Open file)
0x2: CLOSE (Close the file)
0x10: CLOSE (Close the file after change)
0x4: EXEC (Execute the file)
0x80: Load module

[flags] open Flags argument

[file] Name of the file to access

[process] Name of the process that performed the file operation

[pid] Process identification number of the process that performed the filed operation

Performance improvement tips

Based on your debug log, you can identify ways to improve system performance.

If there are many files in the same directory being accessed, there is a possibility that performance may be improved by excluding the corresponding folder from real-time protection.
If many processes access the same process, there is a possibility that performance may be improved by registering the corresponding process in [whitelisted executable file] in real-time protection scan setting.