Kaspersky Embedded Systems Security for Linux
3.3.0
English

Contents

Determining the task that consumes resources

To determine which application tasks are consuming system resources, it is necessary to distinguish the resource consumption of File Threat Protection tasks (OAS type) and On-demand Scan tasks (ODS and ContainerScan types).

If the application is managed by Kaspersky Security Center policy, it is required to allow local task management for the period of the study.

In this section

File Threat Protection task operation analysis

On-demand Scan tasks operation analysis
Page top
[Topic 206066]

File Threat Protection task operation analysis

To analyze the operation of the File Threat Protection task:

  1. Stop all scan and monitoring tasks.
  2. Make sure that the on-demand scan tasks will not run during the scan or have no schedule. You can do it using Kaspersky Security Center or locally by doing the following steps:
    1. Get the list of all application tasks by executing the following command:

      kess-control --get-task-list

    2. Get the schedule settings for the Malware Scan task by executing the following command:

      kess-control --get-schedule <task ID>

      If the command output is RuleType=Manual, the task can only be started manually.

    3. Get the schedule settings for all your Malware Scan and Custom Scan tasks, if any, and set them to start manually by executing the following command:

      kess-control --set-schedule <task ID> RuleType=Manual

  3. Enable generation of application trace files with a high level of details by executing the following command:

    kess-control --set-app-settings TraceLevel=Detailed

  4. Start the File Threat Protection task if it has not been started by executing the following command:

    kess-control --start-task 1

  5. Load the system in the mode that caused the performance problems; a few hours is enough.

    While being loaded, the application writes a lot of information to the trace files; however only 5 files of 500 MB are stored by default, so the old information will be overwritten. If the problems with performance and resource consumption stop occurring, then they are most likely caused by on-demand scan tasks and you can proceed to analyzing the operation of ContainerScan and ODS scan tasks.

  6. Disable creation of the application trace files by executing the following command:

    kess-control --set-app-settings TraceLevel=None

  7. Determine the list of objects that have been scanned the most times by running the following command:

    fgrep 'AVP ENTER' /var/log/kaspersky/kess/kess.* | awk '{print $8}' | sort | uniq -c | sort -k1 -n -r|less

    The result is loaded into less, a text viewer utility, where the objects that have been scanned the most times are displayed first.

  8. Determine whether the objects scanned the most number of times are dangerous. In case of any difficulties, contact Technical Support.

    For example, directories and log files can be considered safe if a trusted process writes to them, database files can also be considered safe.

  9. Write down the paths to the objects that are safe, in your opinion; the paths will be required to configure exclusions from the scan scope.
  10. If various services frequently write data to files in the system, such files are scanned again in the pending queue. Determine the list of paths that have been scanned the most times in the pending queue by running the following command:

    fgrep 'SYSCALL' /var/log/kaspersky/kess/kess.* | fgrep 'KLIF_ACTION_CLOSE_MODIFY' | awk '{print $9}' | sort | uniq -c | sort -k1 -n -r

    The files that were scanned the most times will appear at the beginning of the list.

  11. If the counter for a file exceeds several thousands in a few hours, you should check whether you can trust this file in order to exclude it from scan.

    The logic of to determine it is the same as for the previous study (see step 8): log files can be considered safe, since they cannot be launched.

  12. Even if some files are excluded from scan by the Real-time protection task, they can still be intercepted by the application. If excluding certain files from Real-time protection does not result in significant increase of performance, you can completely exclude the mount point where these files are located from the interception scope of the application. To do so, do the following:
    1. Run the following command to get the list of files intercepted by the application:

      grep 'FACACHE.*needs' /var/log/kaspersky/kess/kess.* | awk '{print $9}' | sort | uniq -c | sort -k1 -n -r

    2. Using this list, determine the paths used for most of the file operation interceptions and configure interception exceptions.
Page top
[Topic 248489]

On-demand Scan tasks operation analysis

Tasks of the ODS and ContainerScan types can also cause significant resource consumption. Follow these recommendations for the tasks of ODS type:

  • Make sure that several on-demand scan tasks are not running at the same time. The application allows for operation in this mode, but resource consumption can significantly increase. Check the schedule of all tasks of the ODS and ContainerScan types locally (as described for the File Threat Protection task) or using Kaspersky Security Center.
  • Run the scan during the minimum server load.
  • Make sure that there are no mounted remote resources (SMB/NFS) at the specified scan path. If a remote resource scan task cannot be performed directly on the server that provides the resource, do not perform the resource scan on servers with critical services, as execution of this task can take a long time (depending on the connection speed and the number of files).
  • Optimize the settings of the on-demand scan task before start.

Page top

[Topic 206098]