AV and 100% CPU

We turned on AV and CPU’s went to 100%. Some digging…

  1. AV only filters files on HTTP and SMTP. Curious…what happened to FTP, NTFS, SMB, CIFS, etc?
  2. AV will look for viruses in HTTP on ALL ports by default.  This search bypasses SecureXL and goes into the medium path where all packets are unwrapped by the worker processes and not just quickly forwarded by the fast path interrupt handlers.avlimited
    httpport80
  3. We then tried to write exceptions and white lists to filter out some of the crap. No luck, they are broken 
  4. We were getting random reports of PDF’s getting corrupted. Not possible, we are in detect mode. Unfortunately someone came up with a tcpdump proving the firewalls in AV detect mode are corrupting traffic. Back to the drawing board……

I”m a die hard CP fan because of their management and logging, but when stuff like this hits my desk I just shake my head.

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Bob Mog  On May 5, 2015 at 10:47 pm

    1. Some of these were never available, some are still available in legacy AV (non-cloud based and slower). CIFS is apparently coming back to cloud AV (was told to check when R77.30 comes out)

    2. You should configure your threat prevention policy with specific exclusions for traffic you dont want to scan. Create a new rule in the TP rulebase at the top, create a new profile with no AV or AB or TE, set source and destination IPs and ports you dont want to scan. Rule exclusions still take the performance hit but the above apparently does not

    3. thats sucks but setup a specific exclusion as per the above and you can even include the specific AV protection thats causing the corruption in the rule for that particular traffic flow

    • Dreezman  On May 6, 2015 at 5:25 am

      Thanks Bob. We had several diamond/developers/SEs engineers verify our setup and no one can get exclusions working. We’ll give this a try.

  • Bob Mog  On May 6, 2015 at 8:04 pm

    From Best Practices – Security Gateway Performance (Solution ID: sk98348)

    Exclude networks:

    Consider excluding networks, whose traffic does not have to be inspected – follow sk92515 (How to configure Anti-Virus Exceptions).
    Note: Standard exceptions are still being inspected (i.e., CPU is consumed), however the traffic will be allowed. The exceptions per sk92515 are completely excluded from the Anti-Virus & Anti-Bot engine inspection (i.e., decrease the load on CPU).

    SK92515 says basically the same as what i recommended however it does say:

    “Make sure to set only Anti-Virus protection to inactive and not Anti-Bot, as well.”

    I am note sure why the above statement is included. If i want to exclude some traffic from AV i probably also want to exclude it from AB. I’m aware AV and AB scanning are usually different directions (dependant on how your profiles are setup) but i have back to back virtual systems so use these sorts of rules to ensure traffic only gets scanned once.

    I haven’t been able to test these exclusions but if you can confirm it works let me know (especially re the AB item)

  • Bob Mog  On May 7, 2015 at 6:15 pm

    I just tested the above and it works. A rule at the top of the rule base with a profile that does not include any AV or AB does excludes the traffic from scanning.
    Not sure why the Diamond guys didn’t know this as its in the doc (the SK i provide you)

    • Dreezman  On May 7, 2015 at 7:14 pm

      Something is wrong. I just spoke with the product lead at CPX and confirmed it is broken. It only kicks in if it detects a malicious file, not before.

  • Dreezman  On May 11, 2015 at 11:32 am

    Just got back from CPX and my guys told me CP confirmed exclusions are broke and a fix is in the queue sooner rather than later. Unknown impact on performance.

    AV still is corrupting traffic in detect mode. Stay tune.

  • Bob Mog  On May 18, 2015 at 12:05 am

    good to know but it does seem to work as it should in R76Sp.10 latest jumbo. What version are you seeing this issue in ?

    • Dreezman  On May 18, 2015 at 9:42 am

      R75.46. I’m not working the problem here but I keep telling them you have the magic juju. If anything changes I’ll update. Thanks for your info. Start a blog!!!

  • Dreezman  On May 19, 2015 at 11:40 am

    CP says they have a patch for us that will fix exclusions.

  • Dreezman  On May 19, 2015 at 11:41 am

    R75.,46 only scans HTTP and SMTP. There is suppose to be a patch that adds FTP and CIFS

  • Bob Mog  On June 11, 2015 at 7:26 pm

    Did you ever see a patch for either of these issues ? (adding FTP, CIFS or fixing the issue with exclusions). There was no mention of FTP and CIFS scanning in the R77.30 release notes like it was under the impression there would be.

    • Dreezman  On June 13, 2015 at 4:32 am

      We were suppose to get a patch last week, but I’m off for the summer so not sure of status. Might want to contact support. Email me and I can forward. michael dot endrizzi at gmail

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: