Issue:
When an F-Secure endpoint product is installed on a computer or server, there is high CPU usage and applications are experiencing performance issues. The connectivity of some applications can also be slow or blocked completely.
Issue affects all F-Secure clients:
- Elements Endpoint Protection for Computers (Computer Protection)
- Elements Endpoint Protection for Servers (Server Protection)
- Business Suite Client Security
- Business Suite Server Security
- Business Suite Email and Server Security
Resolution:
Performance issues can be the result of connectivity issues to the Security Cloud or misconfigured Application Control.
Connectivity issues to the F-Secure Security Cloud:
By default the product checks the files using the F-Secure Security Cloud. If the connectivity to the Security Cloud is blocked, it may cause degraded performance on the device, since the product will be unable to check the whitelisted files from the cloud and DeepGuard will start to aggressively monitor applications.
You can read more about the purpose, function and benefits of F-Secure Security Cloud from here.
If you have Security Cloud enabled, make sure that the product is able to access the following domain ranges:
- *.f-secure.com
- *.fsapi.com
If you need a more precise list of addresses, you can view all the required addresses with the F-Secure Connectivity Tool, which is available in the installation folders of Computer Protection, Server Protection, Client Security and Server Security. With the tool you can view the list of addresses and check you connection to them.
Note: For Client Security the tool is available in 15.20 and later versions, and for Server Security 15.10 and later.
The tool is located in the following folder:
- Client Security: C:\Program Files (x86)\F-Secure\Client Security\ui\fsconnectionchecker.exe
- Server Security: C:\Program Files (x86)\F-Secure\Server Security\ui\fsconnectionchecker.exe
- Computer Protection and Server Protection: C:\Program Files (x86)\F-Secure\PSB\ui\fsconnectionchecker.exe
For older Client Security and Server Security release, you can download the tool from here:
https://download.f-secure.com/support/tools/fsconnectionchecker/ConnectionChecker-1.0.37.exe
If the host system has in general no internet connectivity, we suggest to disable the F-Secure Security Cloud client:
- Open the Policy Manager Console
- Select the policy domain or host
- Settings > Windows > Real-time scanning > Use Security Cloud [disable]
- Distribute the policy
In case HTTP proxy is needed to reach Internet, you can configure the HTTP proxy for the Automatic Update Agent, via the following setting in the Policy Manager Console:
- Settings (Advanced) > F-Secure Automatic Update Agent > Settings > Communications > HTTP settings > Use HTTP proxy
- Settings (Advanced) > F-Secure Automatic Update Agent > Settings > Communications > HTTP settings > User defined proxy settings > address
Below you can find listed a few log examples of errors related to connectivity issues to the Security Cloud:
DeepGuard.log
.W: SecurityCloud::Query: ORSP failed for 0dac68816ae7c09efc24d11c27c3274dfd147dee (0, 0)
.W: SecurityCloud::Query: Too many successive ORSP failures. Further failure logs will be suppressed
.W: SecurityCloud::Query: ORSP query took 3016ms
orspplug.log
.W: fs::rs::WinSocket::Impl::waitForConnection: Wait failed: 258
.W: fs::rs::WinSocket::Impl::connect: Conection timeout: doorman.sc.fsapi.com
CcfPluginState.log
.W: Filter2::ContentFilter2State::ReplyDriverMessage: Failed to reply message 2222
transportAgent.log (Email and Server Security only)
.W: FSecure.AntiVirus.Exchange.Transport.FSMessageScanner: Can't get a response from FSSCORE. The following URLs will not be scanned
fsscorplug.log
.W: fs::xrssdk::HttpClient::UpdateQueriesState: failure on handle 0000022A27886290 7 Failed to connect to doorman.sc.fsapi.com port 443: Connection refused
.W: fs::xrssdk::HTTPQueryTask::get_callback::<lambda>: http http task 0000022A2767C200 complete, curlerr 7, http_status 0, httpver 888, size 0
.W: fs::xrssdk::HTTPQueryTask::complete_query: curl error 7 for http task 0000022A2767C200
.W: fs::QueryDoorman: Cannot connect to doorman.sc.fsapi.com
.W: fs::xrssdk::HttpClient::UpdateQueriesState: failure on handle 000001BB7BC90070 7 Failed to connect to a.karma.sc2.fsapi.com port 443: Timed out
.W: fs::xrssdk::HTTPQueryTask::get_callback::<lambda>: http http task 000001BB78526E70 complete, curlerr 7, http_status 0, httpver 888, size 0
.W: fs::xrssdk::HTTPQueryTask::complete_query: curl error 7 for http task 000001BB78526E70
Misconfigured Application Control
If you have a premium subscription of Business Suite or Elements Endpoint Protection, it will include the Application Control feature.
If the product is using high amounts of CPU performance, make sure you have not set the Application Control Global rule as Allow and monitor all applications. This setting should be used only during testing to find out which applications need exclusion rules, since it will affect the performance of devices.
Also make sure that you have not created Application control exclusion rules which only include a SHA1 as a condition, since the calculation of the SHA1 will require some CPU performance. We recommend to use other conditions in conjunction with the SHA1 condition.
Article no: 000030468