Contents
How to identify a task that is hogging resources
To find out which application tasks are hogging system resources, it is necessary to distinguish the resource usage of File Threat Protection tasks (OAS type) and On-demand Scan tasks (ODS type).
How to analyze the performance of the File Threat Protection task
To analyze the operation of the File Threat Protection task:
- Stop all scan and monitoring tasks.
- Make sure that the on-demand scan tasks will not run during the scan or have no schedule. To do so:
- Get the list of all application tasks by executing the following command:
kfl-control --get-task-list - Get the schedule settings for the Malware Scan task by executing the following command:
kfl-control --get-schedule <task ID>If the command output is
RuleType=Manual, the task can only be started manually. - Get the schedule settings for all your Malware Scan and Custom Scan tasks, if any, and set them to start manually by executing the following command:
kfl-control --set-schedule <IDtasks> RuleType=Manual
- Get the list of all application tasks by executing the following command:
- Enable generation of application trace files with a high level of details by executing the following command:
kfl-control --set-app-settings TraceLevel=Detailed - Start the File Threat Protection task if it has not been started by executing the following command:
kfl-control --start-task 1 - Load the system in the mode that caused the performance problems; a few hours is enough.
While being loaded, the application writes a lot of information to the trace files; however only 5 files of 500 MB are stored by default, so the old information will be overwritten. If the problems with performance and resource consumption stop occurring, it means they are most likely caused by on-demand scan tasks and you can proceed to analyze the performance of ODS scan tasks.
- Disable creation of the application trace files by executing the following command:
kfl-control --set-app-settings TraceLevel=None - Determine the list of objects that have been scanned the most times by running the following command:
fgrep 'AVP ENTER' /var/log/kaspersky/kfl/kfl.* | awk '{print $8}' | sort | uniq -c | sort -k1 -n -r|lessThe result is loaded into less, a text viewer utility, where the objects that have been scanned the most times are displayed first.
- Determine whether the objects scanned the most number of times are dangerous. In case of any difficulties, contact Technical Support.
For example, directories and log files can be considered safe if a trusted process writes to them, database files can also be considered safe.
- Write down the paths to the objects that are safe, in your opinion; the paths will be required to configure exclusions from the scan scope.
- If various services frequently write data to files in the system, such files are scanned again in the pending queue. Determine the list of paths that have been scanned the most times in the pending queue by running the following command:
fgrep 'SYSCALL' /var/log/kaspersky/kfl/kfl.* | fgrep 'KLIF_ACTION_CLOSE_MODIFY' | awk '{print $9}' | sort | uniq -c | sort -k1 -n -rThe files that were scanned the most times will appear at the beginning of the list.
- If the counter for a file exceeds several thousands in a few hours, you should check whether you can trust this file in order to exclude it from scan.
The logic of to determine it is the same as for the previous study (see step 8): log files can be considered safe, since they cannot be launched.
- Even if some files are excluded from scan by the Real-time protection task, they can still be intercepted by the application. If excluding certain files from Real-time protection does not result in significant increase of performance, you can completely exclude the mount point where these files are located from the interception scope of the application. To do so, do the following:
- Run the following command to get the list of files intercepted by the application:
grep 'FACACHE.*needs' /var/log/kaspersky/kfl/kfl.* | awk '{print $9}' | sort | uniq -c | sort -k1 -n -r - Using this list, determine the paths used for most of the file operation interceptions and configure interception exceptions.
- Run the following command to get the list of files intercepted by the application:
How to optimize the File Threat Protection task
If, after analysis of the File Threat Protection task's operation, you have created a list of directories and files that can be excluded from the scan scope, you need to add them to the exclusions.
Scan exclusions
To exclude the /tmp/logs directory and all subdirectories and files recursively, execute the following command:
kfl-control --set-settings 1 --add-exclusion /tmp/logs
To exclude a specific file or files by mask in the /tmp/logs directory, execute the following command:
kfl-control --set-settings 1 --add-exclusion /tmp/logs/*.log
To exclude all files with the .LOG extension in the /tmp/ directory and subdirectories using a recursive mask, execute the following command:
kfl-control --set-settings 1 --add-exclusion /tmp/**/*.log
Interception exclusions
If you want to exclude files in a certain directory not only from scan, but also from interception, you can exclude the entire mount point.
To exclude an entire mount point:
- If the directory is not a mount point, create a mount point from it. For example, to create a mount point from the /tmp directory, execute the following command:
mount --bind /tmp/ /tmp - To keep the mount point after the server reboot, add the following line to the /etc/fstab file:
/tmp /tmp none defaults,bind 0 0 - Add the /tmp directory to the global exceptions by executing the following command:
kfl-control --set-app-settings ExcludedMountPoint.item_0000=/tmp - If you want to add several directories, increase the item_0000 counter by one (item_0001, item_0002, and so on).
It is also recommended to exclude mount points that are mounted remote resources with unstable or slow connection.
Changing scan type
By default, the File Threat Protection task can scan files when they are opened or closed. If analysis of the File Threats Protection task performance shows that too many files are being written, you can make the task operate only when files are opened by running the following command:
kfl-control --set-set 1 ScanByAccessType=Open
In this operation mode, changes made to the file after it is opened are not scanned until the next opening of the file.
Page topHow to analyze the performance of on-demand scan tasks
Tasks of the ODS type can also cause significant resource consumption. Follow these recommendations for the tasks of ODS type:
- Make sure that several on-demand scan tasks are not running at the same time. The application allows for operation in this mode, but resource consumption can significantly increase. Check the schedule of all ODS tasks (as described for the File Threat Protection task).
- Run the scan during the minimum server load.
- Make sure that there are no mounted remote resources (SMB/NFS) at the specified scan path. If a remote resource scan task cannot be performed directly on the server that provides the resource, do not perform the resource scan on servers with critical services, as execution of this task can take a long time (depending on the connection speed and the number of files).
- Optimize the settings of the on-demand scan task before start.
How to optimize an on-demand scan task
Scan exclusions
You can configure scan exclusions for on-demand scan (ODS) tasks. You can configure this in the same way as scan exclusions for the File Threat Protection task.
Scan exclusion settings for one scan task do not affect other scan tasks. Exclusions must be configured separately for each scan task.
Setting the memory usage limits when unpacking archives
The on-demand scan task uses RAM to unpack archives when scanning the archives recursively. The application allows adjusting the memory usage while scanning files using the ScanMemoryLimit parameter in the kfl.ini configuration file. The default value is 8192 MB. The minimum value is 2 MB. If the specified value is less than 2 MB, the application uses the minimum value (2 MB). If the specified value is greater than the amount of RAM available in the system, the application uses up to 25% of the RAM. This value cannot be changed.