Performance issues caused by F-Secure endpoint products - F-Secure Community
<main> <article class="userContent"> <h3 data-version="18" data-article="000030468" data-id="issue">Issue:</h3> <p>When an F-Secure endpoint product is installed on a computer or server, there is high CPU usage and applications are experiencing performance issues. The connectivity of some applications can also be slow or blocked completely. <br><br>Issue affects all F-Secure clients:<br></p><ul><li>Elements Endpoint Protection EPP for Computers </li><li>Elements Endpoint Protection EPP for Servers </li><li>Business Suite Client Security</li><li>Business Suite Server Security </li><li>Business Suite Email and Server Security</li></ul><h3 data-id="resolution">Resolution:</h3> <p></p><p>Performance issues can be the result of connectivity issues to the Security Cloud or misconfigured Application Control.<br><br><b>What is Security Cloud?</b><br>When Security Cloud is enabled on F-Secure endpoint products, it connects to F-Secure Backend to check reputation and other objects. F-Secure endpoint products have database updates which can detect the malware without connection to cloud, but, to check the reputation we need cloud connection. There is the local cache, but it comes first from the cloud, where the whitelisting of false positives is done.</p> <ul></ul> Disabling Security Cloud is not recommended as there are many features that are dependent from Security Cloud, like: <ul><li>DeepGuard with cloud connection:</li></ul> Unsigned processes reported as trusted by ORSP will be excluded from deep monitoring by DeepGuard <ul><li>DeepGuard with no cloud connection:</li></ul> Big performance loses in operations of 3rd party applications<br> Unsigned files will not be excluded <ul><li>Application control with cloud connection:</li></ul> Rules depending on prevalence rating and reputation will be working fine <ul><li>Application control with no cloud connection:</li></ul> Unsigned files reported as trusted by ORSP will be excluded from scanning by local engines<br>Rules depending on prevalence and reputation will not work<br>Feature is partially not operational <ul><li>File scanning with cloud connection:</li></ul> Unsigned files reported as trusted by ORSP will be excluded from scanning by local engine <ul><li>File scanning with no cloud connection:</li></ul> Unsigned files will not be excluded<br>Some performance loses on file access <ul><li>Browsing protection with cloud connection:</li></ul> Works without restrictions <ul><li>Browsing protection with no cloud connection:</li></ul> Will not work at all as features fully depend on Security Cloud<br>Feature is partially not operational <ul><li>Web Traffic Scanning with cloud connection:</li></ul> For URLs reported as trusted and prevalent by ORSP content returned by the server will be scanning <ul><li>Web Traffic Scanning with no cloud connection:</li></ul> WTS will scan all responses of all URLs intercepted causing big performance issues<br>Big performance issues on web browsing<br><br><b>How does F-Secure Security cloud work?</b><br>The Security Cloud collects information about unknown applications and websites, malicious applications and malicious activities that exploit the information of users of websites. When you subscribe to Security Cloud, we collect important information so that we can provide you with the security services you subscribe to and enhance the security of our other services. For this reason, and for the operation of our services, we need to collect security information about unknown files, suspicious device activity or visited URLs.<br><br>Security Cloud does not monitor your Internet usage and does not collect information about websites that have already been analyzed or about unsafe applications installed on your computer.<br><br><b>How do I troubleshoot connectivity issues related to Security cloud?</b><br>When you enable Security Cloud, you also need to whitelist the following domains on your Firewall, as the endpoints need to communicate to Security Cloud. <ul><li>*.f-secure.com</li><li>*.fsapi.com</li></ul><b>Note: </b>The domains mentioned above needs to be whitelisted to your firewall or proxy. In case your have enabled some proxy in your environment, the client reads it via discovery service and tries to connect to *.fsapi.com through it. <br><br>Client writes that information in registry: <br><br><i>[HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\Ultralight\Settings\proxy] <br>"value"=(REG_SZ):<a href="http://proxy.example.intern:3128" rel="nofollow">http://proxy.example.intern:3128</a><br>"access"=(REG_DWORD):1</i><br><br>Example when network queries fail to connect to F-Secure back-end, from fsscorplug.log you will see how the client tries to connect to one of our backend servers and fails:<br><br><i>2021-11-12 17:40:30.152 [15c0.1d1c] .W: CurlQuery::completeWithStatus: failure on handle 0000023C45E27C50 5 Could not resolve proxy: proxy.example.intern<br>2021-11-12 17:40:30.152 [15c0.1d1c] .W: fs::xrssdk::HTTPQueryTask::update_http_stats: http error 111 (5) for http task 0000023C45E9AC20, time 4 ms<br>2021-11-12 17:40:30.152 [15c0.1d1c] .W: ipc_impl::on_async_complete_ex: winrpc call completed err 111<br>2021-11-12 17:40:31.751 [15c0.1d1c] I: fs::xrssdk::DoormanCache::update: doorman cooldown is off, ttl: 15, fserr: 0<br>2021-11-12 17:43:02.424 [15c0.1d1c] .W: CurlQuery::completeWithStatus: failure on handle 0000023C468C1D90 28 Operation timed out after 1006 milliseconds with 0 bytes received<br>2021-11-12 17:43:02.424 [15c0.1d1c] .W: fs::xrssdk::HTTPQueryTask::update_http_stats: http error 201 (28) for http task 0000023C45E76790, time 1006 ms<br>2021-11-12 17:43:02.424 [15c0.1d1c] .W: ipc_impl::on_async_complete_ex: winrpc call completed err 201<br>2021-11-12 17:48:02.964 [15c0.1fe8] I: ipc_impl::stopRpcServer: MSRPC Server stopped</i><br><br>The log can contain fserr 101 or 218 which are actual network failures. <br><br>The log shows some results from cache, as the queries are stored for 2 hours in cache, meaning if you just allowed our domains in firewall, client will still use cache queries for another 2 hours. Cache cleanup is for faster results to test the connectivity. you can clean the cache directly from client as follows: <ol><li>Open a Command prompt with administrator priviledges</li><li>Stop the network hoster: <b>net stop</b> <b>fsulnethoster</b></li><li>Remove all files from "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\F-Secure\fsscor"</li><li>Start network hoster: <b>net start "fsulnethoster</b></li></ol> If you have allowed *.f-secure.com and *.fsapi.com in your firewall, you can test the connection in two ways: <ul><li>Opening the URLs on Browser and they should respond with ok</li></ul><a href="https://baseguard.doorman.fsapi.com/doorman/v1/healthcheck" rel="nofollow">https://baseguard.doorman.fsapi.com/doorman/v1/healthcheck</a><br><a href="https://doorman.sc.fsapi.com/doorman/v1/healthcheck" rel="nofollow">https://doorman.sc.fsapi.com/doorman/v1/healthcheck</a><br><a href="https://a.karma.sc2.fsapi.com/healthcheck" rel="nofollow">https://a.karma.sc2.fsapi.com/healthcheck</a> <ul><li>Use F-Secure Connectivity Tool, which is available in the installation folders of Elements Endpoint Protection (EPP for Computers and EPP for Servers), Business Client Security and Business Suite Server Security. With the tool you can view the list of addresses the product connects to and check the connectivity towards them.</li></ul><b>Note:</b> For Client Security the tool is available in 15.20 and later versions, and for Server Security 15.10 and later. <br><br>The tool is located in the following folder: <ul><li>Client Security: C:\Program Files (x86)\F-Secure\Client Security\ui\fsconnectionchecker.exe</li><li>Server Security: C:\Program Files (x86)\F-Secure\Server Security\ui\fsconnectionchecker.exe</li><li>Elements EPP for Computers and EPP for Servers: C:\Program Files (x86)\F-Secure\PSB\ui\fsconnectionchecker.exe</li></ul><p> For older Client Security and Server Security releases, you can download the tool from here: <a rel="nofollow" href="https://download.sp.f-secure.com/connectivitytool/ConnectionChecker.exe">https://download.sp.f-secure.com/connectivitytool/ConnectionChecker.exe</a><br><br>What logs do should be checked in case of such behaviour?<br><br><b>fsscorplug.log</b><br>.W: fs::rs::WinSocket::Impl::waitForConnection: Wait failed: 258<br>.W: fs::rs::WinSocket::Impl::connect: Conection timeout: doorman.sc.fsapi.com<br><br><b>CcfPluginState.log</b><br>.W: Filter2::ContentFilter2State::ReplyDriverMessage: Failed to reply message 2222<br><br><b>orspplug.log</b><br>.W: fs::rs::WinSocket::Impl::waitForConnection: Wait failed: 258<br>.W: fs::rs::WinSocket::Impl::connect: Conection timeout: doorman.sc.fsapi.com<br><br><b>DeepGuard.log</b><br>.W: SecurityCloud::Query: ORSP failed for 0dac68816ae7c09efc24d11c27c3274dfd147dee (0, 0)<br>.W: SecurityCloud::Query: Too many successive ORSP failures. Further failure logs will be suppressed<br>.W: SecurityCloud::Query: ORSP query took 3016ms<br><br><b>transportAgent.log (Email and Server Security only)</b><br>.W: FSecure.Ess.Fsscore.Client: FSSCORE query for URL('<a href="http://schemas.microsoft.com/office/2004/12/xxxx')" rel="nofollow">http://schemas.microsoft.com/office/2004/12/xxxx')</a> Failed, error=Timeout <br>.W: FSecure.AntiVirus.Exchange.Transport.FSMessageScanner: Can't get a response from FSSCORE. The following URLs will not be scanned </p> <div><br><u>Misconfigured Application Control</u><br><br>If you have a premium subscription of Business Suite or Elements Endpoint Protection, it will include the Application Control feature. <br><br>If the product is using high amounts of CPU performance, make sure you have not set the Application <b>Control Global</b> rule as <b>Allow and monitor all applications</b>. This setting should be used only during testing to find out which applications need exclusion rules, since it will affect the performance of devices.<br><br>Also make sure that you have not created Application control exclusion rules which only include a SHA1 as a condition, since the calculation of the SHA1 will require some CPU performance. We recommend to use other conditions in conjunction with the SHA1 condition. </div> <p>Article no: 000030468</p> </article> </main>