XFENCEDaemon using a lot of CPU (MacOS Mojave)

SmallHollow

Today I checked Activity Monitor why my computer – MacBook Pro running MacOS Mojave 10.14.6 with F-Secure SAFE 17.8 – was suddenly getting hotter. The CPU usage of XFENCEDaemon is constantly between 40-60 %, taking the 1st position on the process list, while all other processes are mostly under 2 % (only browser is open). Rebooting the machine makes no difference.

What's going on? Is there any way to make XFence use less CPU?

ArthurVal

Hello!

Could you please run the "Support Tool" app that is shipped with SAFE and collect diagnostics so that we could take a closer look at the issue? It's located in the Applications folder alongside the SAFE app. You can submit the diagnostics file with a support request to F-Secure Support team (https://www.f-secure.com/en/home/support/contact). Thanks in advance!

Best regards, Arthur

SAFE Mac R&D Team

ArthurVal

Hello, @SmallHollow!

Thanks for sharing the diagnostics with our support. I finally got a hold of it and was able to take a look at the situation with XFENCEDaemon.

Indeed, I can see that XFENCEDaemon is pretty active on your Mac. Just a little clarification on what XFENCEDaemon is what it does.

XFENCE is an extra layer of protection on top of the primary anti-virus functionality that SAFE provides.It can detect access to your files and documents made by rare/unknown applications and prevent it. In the current SAFE release, it does not actually block any "suspicious" activity but only collects diagnostics so that it can make more reliable decisions in the future. It looks like mongodb executables are not well known to XFENCE and that is why it collects as just data it can about all accesses that the mongodb instance makes on your system.

What we can try to do to fix this is to create a custom rule for XFENCE to instruct it to ignore mongodb activity and hopefully make its CPU usage much lower. For that please follow the steps below:

1) open Terminal app

2) type in the command below to open the file that contains custom rules for XFENCE (it will prompt for your admin password)

sudo nano "/Users/Shared/F-Secure XFENCE/local.xfence.rc"

3) add the entire line below to the first line of that file. You can just copy the line below with Command+C key combination and paste it to that file with Command+V key combination. 

allow prefix "" "/usr/local/Cellar/mongodb-community/4.2.8/bin/mongod" rwcx "" "0dbd339de14d0947837f5e904a7dde3f48c4e4932a0e44bb5ec0731e0254daf5" "0"

4) Press Control+O key combination and "Enter" key to confirm changes to the file. And then Control+X key combination to exit from the file editing mode

5) Reboot your Mac to apply these changes.

Please let me know if the situation of high CPU usage by XFENCEDaemon continues when you use mongodb after reboot. Thanks.

Best regards,

Arthur

SmallHollow

Thanks for this solution! MongoDB and F-Secure XFENCEDaemon now co-exist peacefully on my computer!

daos

How is the exception line produced? I run into the same problem but during development of a clojure project. Please don't ask me to provide a path, I can't keep asking here every time this XFENCE tool needs an exception.

daos

Nevermind, option-clicking the F-Secure icon in the menu bar reveals "Configure DeepGuard" option, I'll play around with that.

daos

For comparison; Compiling a simple Clojure "uberjar" with F-Secure SAFE with real-time scanning and DeepGuard enabled took me 345 seconds. After uninstall of F-Secure SAFE, the same compilation took 17 seconds.

Ignoring the fact I have a powerful laptop, the difference is x20 in time. I didn't see any difference after disabling real-time scanning in the system preferences F-Secure plugin, nor did I manage to create a ruleset in the DeepGuard configuration interface to get the same speedup (in fact, I had no speedup whatever I put in the DeepGuard rule set).

ArthurVal

Hello, @daos!

Please note that after adding a rule to DeepGuard Configuration app, you need to close it or press Command+R to apply the rule changes to DeepGuard service (XFENCEDaemon). The rules will be applied when the configuration app is closed too. Could you please share if the issue with slowdown goes away after applying rule changes? Thanks.

Best regards, Arthur

SAFE Mac R&D Team

daos

Yes, I did that (picked reload from menu), but there was no change in used time. My best guess is that I didn't manage to set the correct exclusion rules, but I tried basically any wide combination of all processes, all parents and all paths.

As I'm probably misconfiguring DeepGuard, can you please point me to appropriate documentation on this interface?

ArthurVal

Yes. It seems that the created rule does not cover the file access that DeepGuard is intercepting. DeepGuard feature is not deployed to production in its full potential yet. As in, the service itself is operational, its main goal is to collect diagnostics to perform proper decisions in the future. But its UI and Configuration interface are still in development, thus there is no official documentation on user facing controls.

We would need SAFE diagnostics from that machine to properly investigate this on our side. Please run the Support Tool app shipped with SAFE and share the resulted archive with SAFE diagnostics with our support at https://www.f-secure.com/en/home/support/contact. Thanks.

Best regards, Arthur