Linux Security real-time protection causes performance issue

This discussion has a more recent version.
Khairul_A Posts: 272 F-Secure Employee

Further analysis is needed to pin-point the problematic file and/or process that is causing the performance issue. By setting fsoasd (real-time inspection process) log to debug mode, it is possible to record all accesses that perform real-time virus and integrity checking. Follow the steps below:

  1. We recommend deleting the existing fsoasd.log file so a fresh log file is created for easier analysis. Execute the following command:
    # /etc/init.d/fsma stop
    # rm /var/opt/f-secure/fsav/fsoasd.log
    # /etc/init.d/fsma start
  2. Set the fsoasd log to debug mode:
    # /opt/f-secure/fsma/bin/chtest s 9
  3. You may now reproduce the problem, or simply wait 10-30 minutes to gather enough debug information.
  4. Reset the fsoasd log output back to normal mode:
    # /opt/f-secure/fsma/bin/chtest s 6
  5. Review the log file which is output to /var/opt/f-secure/fsav/fsoasd.log.
Understanding the logs

You can check the file access status by checking lines containing the string BOTTOMHALF.

1198657751 | DEBUG | 0xb7f23bb0 | fsoasd / tophalf.c: 0240 | BOTTOMHALF req: event = 0x4, flags (not set) = 0x0, file = / bin / sleep, process = / bin / tcsh pid = 28360

The numbers on the left indicates the epoch time (January 1, 1970). The items after BOTTOMHALF are as follows:


  • 0x0: OPEN (Open file)
  • 0x2: CLOSE (Close the file)
  • 0x10: CLOSE (Close the file after change)
  • 0x4: EXEC (Execute the file)
  • 0x80: Load module

[flags] open Flags argument

[file] Name of the file to access

[process] Name of the process that performed the file operation

[pid] Process identification number of the process that performed the filed operation

Performance improvement tips

Based on your debug log, you can identify ways to improve system performance.

  • If there are many files in the same directory being accessed, there is a possibility that performance may be improved by excluding the corresponding folder from real-time protection.
  • If many processes access the same process, there is a possibility that performance may be improved by registering the corresponding process in [whitelisted executable file] in real-time protection scan setting.