Community
User Guides
Support
Community
Help Forums
English Forum
General
About our Community
General Discussion
News and Feedback
Products
F-Secure SAFE
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Other products
Beta programs
Feature Requests
Finnish Forum (Tukifoorumi)
Tuotteet Kotiin
F-Secure SAFE
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Muut tietoturvatuotteet
Support Articles
Language
English
Suomi
Deutsch
Français
日本語
Svenska
Dansk
Italiano
Nederlands
Norsk
Polski
中文 (繁體)
Products & Services
F-Secure TOTAL
F-Secure SAFE / Internet Security / Anti-Virus
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Other products
Common topics
User Guides
Support
Login
|
Register
Performance issues caused by WithSecure endpoint products - F-Secure Community
<main> <article class="userContent"> <h3 data-version="23" data-article="000030468" data-id="issue">Issue:</h3> <p>When an WithSecure endpoint product is installed on a computer or server, there is high CPU usage and applications are experiencing performance issues. The connectivity of some applications can also be slow or blocked completely. <br><br>Issue affects all WithSecure clients:<br></p><ul><li>Elements Endpoint Protection EPP for Computers </li><li>Elements Endpoint Protection EPP for Servers </li><li>Business Suite Client Security</li><li>Business Suite Server Security </li><li>Business Suite Email and Server Security</li></ul><h3 data-id="resolution">Resolution:</h3> <p></p><p>Performance issues can for example be the result of:</p> <ul><li>Connectivity issues to the Security Cloud</li><li>Misconfigured Application Control</li><li>Server Share protection</li></ul><p><br><b><u>Connectivity issues to the Security Cloud</u><br><br>What is Security Cloud?</b><br>When Security Cloud is enabled on WithSecure endpoint products, it connects to WithSecure Backend to check reputation and other objects. WithSecure endpoint products have database updates which can detect the malware without connection to cloud, but, to check the reputation we need cloud connection. There is the local cache, but it comes first from the cloud, where the whitelisting of false positives is done.</p> <ul></ul> Disabling Security Cloud is not recommended as there are many features that are dependent from Security Cloud, like: <ul><li>DeepGuard with cloud connection:</li></ul> Unsigned processes reported as trusted by ORSP will be excluded from deep monitoring by DeepGuard <ul><li>DeepGuard with no cloud connection:</li></ul> Big performance loses in operations of 3rd party applications<br> Unsigned files will not be excluded <ul><li>Application control with cloud connection:</li></ul> Rules depending on prevalence rating and reputation will be working fine <ul><li>Application control with no cloud connection:</li></ul> Unsigned files reported as trusted by ORSP will be excluded from scanning by local engines<br>Rules depending on prevalence and reputation will not work<br>Feature is partially not operational <ul><li>File scanning with cloud connection:</li></ul> Unsigned files reported as trusted by ORSP will be excluded from scanning by local engine <ul><li>File scanning with no cloud connection:</li></ul> Unsigned files will not be excluded<br>Some performance loses on file access <ul><li>Browsing protection with cloud connection:</li></ul> Works without restrictions <ul><li>Browsing protection with no cloud connection:</li></ul> Will not work at all as features fully depend on Security Cloud<br>Feature is partially not operational <ul><li>Web Traffic Scanning with cloud connection:</li></ul> For URLs reported as trusted and prevalent by ORSP content returned by the server will be scanning <ul><li>Web Traffic Scanning with no cloud connection:</li></ul> WTS will scan all responses of all URLs intercepted causing big performance issues<br>Big performance issues on web browsing<br><br><b>How does WithSecure Security cloud work?</b><br>The Security Cloud collects information about unknown applications and websites, malicious applications and malicious activities that exploit the information of users of websites. When you subscribe to Security Cloud, we collect important information so that we can provide you with the security services you subscribe to and enhance the security of our other services. For this reason, and for the operation of our services, we need to collect security information about unknown files, suspicious device activity or visited URLs.<br><br>Security Cloud does not monitor your Internet usage and does not collect information about websites that have already been analyzed or about unsafe applications installed on your computer.<br><br><b>How do I troubleshoot connectivity issues related to Security cloud?</b><br>When you enable Security Cloud, you also need to whitelist the following domains on your Firewall, as the endpoints need to communicate to Security Cloud. <ul><li>*.f-secure.com</li><li>*.fsapi.com</li></ul><b>Note: </b>The domains mentioned above needs to be whitelisted to your firewall or proxy. In case your have enabled some proxy in your environment, the client reads it via discovery service and tries to connect to *.fsapi.com through it. <br><br>Client writes that information in registry: <br><br><i>[HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\Ultralight\Settings\proxy] <br>"value"=(REG_SZ):<a href="http://proxy.example.intern:3128" rel="nofollow">http://proxy.example.intern:3128</a><br>"access"=(REG_DWORD):1</i><br><br>Example when network queries fail to connect to WithSecure back-end, from fsscorplug.log you will see how the client tries to connect to one of our backend servers and fails:<br><br><i>2021-11-12 17:40:30.152 [15c0.1d1c] .W: CurlQuery::completeWithStatus: failure on handle 0000023C45E27C50 5 Could not resolve proxy: proxy.example.intern<br>2021-11-12 17:40:30.152 [15c0.1d1c] .W: fs::xrssdk::HTTPQueryTask::update_http_stats: http error 111 (5) for http task 0000023C45E9AC20, time 4 ms<br>2021-11-12 17:40:30.152 [15c0.1d1c] .W: ipc_impl::on_async_complete_ex: winrpc call completed err 111<br>2021-11-12 17:40:31.751 [15c0.1d1c] I: fs::xrssdk::DoormanCache::update: doorman cooldown is off, ttl: 15, fserr: 0<br>2021-11-12 17:43:02.424 [15c0.1d1c] .W: CurlQuery::completeWithStatus: failure on handle 0000023C468C1D90 28 Operation timed out after 1006 milliseconds with 0 bytes received<br>2021-11-12 17:43:02.424 [15c0.1d1c] .W: fs::xrssdk::HTTPQueryTask::update_http_stats: http error 201 (28) for http task 0000023C45E76790, time 1006 ms<br>2021-11-12 17:43:02.424 [15c0.1d1c] .W: ipc_impl::on_async_complete_ex: winrpc call completed err 201<br>2021-11-12 17:48:02.964 [15c0.1fe8] I: ipc_impl::stopRpcServer: MSRPC Server stopped</i><br><br>The log can contain fserr 101 or 218 which are actual network failures. <br><br>The log shows some results from cache, as the queries are stored for 2 hours in cache, meaning if you just allowed our domains in firewall, client will still use cache queries for another 2 hours. Cache cleanup is for faster results to test the connectivity. you can clean the cache directly from client as follows: <ol><li>Open a Command prompt with administrator priviledges</li><li>Stop the network hoster: <b>net stop</b> <b>fsulnethoster</b></li><li>Remove all files from "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\F-Secure\fsscor"</li><li>Start network hoster: <b>net start "fsulnethoster</b></li></ol> If issue remain, you shall clear the Doorman cache too: <ol><li>Open a Command prompt as an administrator</li><li>Stop the services by running commands: <ul><li>net stop fsulhoster</li><li>net stop fsulnethoster</li></ul></li><li>Open the Windows Registry editor (regedit), backup and clear values under <ul><li>HKEY_USERS\S-1-5-20\SOFTWARE\F-Secure\Ultralight\<b>Doorman</b></li></ul></li><li>Remove all files from "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\F-Secure\fsscor"</li><li>Start the services by running commands: <ul><li>net start fsulhoster</li><li>net start fsulnethoster</li></ul></li></ol> If you have allowed *.f-secure.com and *.fsapi.com in your firewall, you can test the connection in two ways: <ul><li>Opening the URLs on Browser and they should respond with ok</li></ul><a href="https://baseguard.doorman.fsapi.com/doorman/v1/healthcheck" rel="nofollow">https://baseguard.doorman.fsapi.com/doorman/v1/healthcheck</a><br><a href="https://doorman.sc.fsapi.com/doorman/v1/healthcheck" rel="nofollow">https://doorman.sc.fsapi.com/doorman/v1/healthcheck</a><br><a href="https://a.karma.sc2.fsapi.com/healthcheck" rel="nofollow">https://a.karma.sc2.fsapi.com/healthcheck</a> <ul><li>Use WithSecure Connectivity Tool, which is available in the installation folders of Elements Endpoint Protection (EPP for Computers and EPP for Servers), Business Client Security and Business Suite Server Security. With the tool you can view the list of addresses the product connects to and check the connectivity towards them.</li></ul><b>Note:</b> For Client Security the tool is available in 15.20 and later versions, and for Server Security 15.10 and later. <br><br>The tool is located in the following folder: <ul><li>Client Security: C:\Program Files (x86)\F-Secure\Client Security\ui\fsconnectionchecker.exe</li><li>Server Security: C:\Program Files (x86)\F-Secure\Server Security\ui\fsconnectionchecker.exe</li><li>Elements EPP for Computers and EPP for Servers: C:\Program Files (x86)\F-Secure\PSB\ui\fsconnectionchecker.exe</li></ul><p> For older Client Security and Server Security releases, you can download the tool from here: <a rel="nofollow" href="https://download.sp.f-secure.com/connectivitytool/ConnectionChecker.exe">https://download.sp.f-secure.com/connectivitytool/ConnectionChecker.exe</a><br><br>What logs do should be checked in case of such behaviour?<br><br><b>fsscorplug.log</b><br>.W: fs::rs::WinSocket::Impl::waitForConnection: Wait failed: 258<br>.W: fs::rs::WinSocket::Impl::connect: Conection timeout: doorman.sc.fsapi.com<br><br><b>CcfPluginState.log</b><br>.W: Filter2::ContentFilter2State::ReplyDriverMessage: Failed to reply message 2222<br><br><b>orspplug.log</b><br>.W: fs::rs::WinSocket::Impl::waitForConnection: Wait failed: 258<br>.W: fs::rs::WinSocket::Impl::connect: Conection timeout: doorman.sc.fsapi.com<br><br><b>DeepGuard.log</b><br>.W: SecurityCloud::Query: ORSP failed for 0dac68816ae7c09efc24d11c27c3274dfd147dee (0, 0)<br>.W: SecurityCloud::Query: Too many successive ORSP failures. Further failure logs will be suppressed<br>.W: SecurityCloud::Query: ORSP query took 3016ms<br><br><b>transportAgent.log (Email and Server Security only)</b><br>.W: FSecure.Ess.Fsscore.Client: FSSCORE query for URL('<a href="http://schemas.microsoft.com/office/2004/12/xxxx')" rel="nofollow">http://schemas.microsoft.com/office/2004/12/xxxx')</a> Failed, error=Timeout <br>.W: FSecure.AntiVirus.Exchange.Transport.FSMessageScanner: Can't get a response from FSSCORE. The following URLs will not be scanned </p> <div><br><strong><u>Misconfigured Application Control</u></strong><br><br>If you have a premium subscription of Business Suite or Elements Endpoint Protection, it will include the Application Control feature. <br><br>If the product is using high amounts of CPU performance, make sure you have not set the Application <b>Control Global</b> rule as <b>Allow and monitor all applications</b>. This setting should be used only during testing to find out which applications need exclusion rules, since it will affect the performance of devices.<br><br>Also make sure that you have not created Application control exclusion rules which only include a SHA1 as a condition, since the calculation of the SHA1 will require some CPU performance. We recommend to use other conditions in conjunction with the SHA1 condition. <br><br><u><strong>Server Share Protection</strong></u><br><br>Elements Endpoint Protection for Servers has a <strong>Server Share Protection </strong>feature. If you have enabled it on your Elements EPP for Servers installation, try disabling <strong>Allow and report mode </strong>for it:</div> <ol><li>Log in to the Elements Endpoint Protection portal</li><li>Go to the <strong>Profiles </strong>page</li><li>Go to the <strong>For Windows Servers </strong>tab</li><li>Select the profile you want to edit</li><li>Go to the <strong>Server Share Protection </strong>settings page</li><li>Disable <strong>Allow and report mode</strong></li><li>Click <strong>Save and publish</strong></li></ol> Restart the server after disabling the feature and see if the CPU usage has decreased. If not, try disabling <strong>Server Share Protection </strong>feature off completely. <p>Article no: 000030468</p> </article> </main>