Quantcast
Channel: Shavlik User Community : Document List - All Communities
Viewing all articles
Browse latest Browse all 1352

Active Protection Scanning Files Listed In Policy Exceptions And Addressing AP Performance Issues

$
0
0

Purpose

 

This document is intended to provide information about the expected behavior for active protection concerning files or folders listed in the exceptions list within an agent policy, and how to address possible performance issues with active protection.

 

Symptoms

 

You see that STThreat.exe is using memory or processor in Task Manager, and you notice that files listed within the exceptions list of your agent policy are being scanned by the Shavlik Protect Agent active protection.

 

Cause

 

This is working as designed. Whenever a file meets the active protection requirements to be checked (based on 'File access' settings in the agent policy > Threat > Active Protection), it must determine if further analysis needs to take place. STThreat.exe will always run when the File access requirement is met on the system.

 

Images for reference:

 

Capture1.JPG

     Example of a file exception set up in the agent policy for "test.exe".

Capture.JPG

     Example of Active Protection File access settings within the agent policy.

 

So even though the files are excluded based on policy settings, the active protection process still needs to run something to determine if further action needs to take place. If the files are excluded, no further action beyond a preliminary check by active protect will take place.

 

Note: A Threat Scan (Set up via Threat Tasks tab of agent policy) will not scan exceptions at all.

 

Resolution

 

If you feel that this is for some reason causing a performance hit on your machine(s), you can modify the active protection settings so that files are only seen by active protection when executed, rather than on access. This will reduce the number of files active protection will scan and provide an increase in performance.

 

Capture2.JPG

     Example of setting active protection to 'On execute' access.

 

Before making this change you should consider the level of active protection that you want vs. how much performance hit is actually taking place. Refer to the following information from the Shavlik Protect Help documentation:

 

File Access Levels

  • On access, all file types (lower performance): Active Protection will perform a scan whenever a file is touched (executed, moved, copied, loaded, etc.) on the agent machine. If the file is infected the user will be alerted before the infected file has a chance to do damage to the computer. This option applies to preset files, including EXE, INI, HLP, BAT, and others. While this provides the most complete form of protection, the trade-off is it may slow the agent machine's performance. To counteract this, enable the Limit AP scanning option.
  • Limit AP scanning to only high risk file types (higher performance): You can improve the performance of Active Protection by scanning only those file types that present the highest risk. This is a good compromise solution for those companies seeking a fairly high level of security while maintaining a reasonable level of performance. The list of high risk file types includes the following:

        

ade

cpl

ex!

inf

mde

pdf

shb

vxd

adp

crt

ex#

ini

msc

pif

shs

wmv

asf

dll

ex$

ins

msg

png

swf

wsc

bas

doc

exv

isp

msi

pps

sys

wsf

bat

dot

hlp

js

msp

ppt

url

wsh

chm

eml

hta

jse

nt

reg

vb

xls

cmd

exe

htm

lnk

ocx

scr

vbe

xlt

com

ex_

html

mdb

pcd

sct

vbs

 

  • On execute: Active Protection will perform a scan only when a file is executed or a .dll file is loaded.

 

 

Additional Information

 

Shavlik Protect Help: Configuring Active Protection

 

Affected Product(s)

 

Shavlik Protect 9.x


Viewing all articles
Browse latest Browse all 1352

Trending Articles