Active Protection Scanning Files Listed In Policy Exceptions And Addressing AP Performance Issues

Version 3

    Purpose

     

    This document is intended to provide information about the expected behavior for active protection concerning files or folders listed in the exceptions list within an agent policy, and how to address possible performance issues with active protection.

     

    Symptoms

     

    You see that STThreat.exe is using memory or processor in Task Manager, and you notice that files listed within the exceptions list of your agent policy are being scanned by the Shavlik Protect Agent active protection.

     

    Cause

     

    This is working as designed. Whenever a file meets the active protection requirements to be checked (based on 'File access' settings in the agent policy > Threat > Active Protection), it must determine if further analysis needs to take place. STThreat.exe will always run when the File access requirement is met on the system.

     

    Images for reference:

     

    Capture1.JPG

         Example of a file exception set up in the agent policy for "test.exe".

    Capture.JPG

         Example of Active Protection File access settings within the agent policy.

     

    So even though the files are excluded based on policy settings, the active protection process still needs to run something to determine if further action needs to take place. If the files are excluded, no further action beyond a preliminary check by active protect will take place.

     

    Note: A Threat Scan (Set up via Threat Tasks tab of agent policy) will not scan exceptions at all.

     

    Resolution

     

    If you feel that this is for some reason causing a performance hit on your machine(s), you can modify the active protection settings so that files are only seen by active protection when executed, rather than on access. This will reduce the number of files active protection will scan and provide an increase in performance.

     

    Capture2.JPG

         Example of setting active protection to 'On execute' access.

     

    Before making this change you should consider the level of active protection that you want vs. how much performance hit is actually taking place. Refer to the following information from the Shavlik Protect Help documentation:

     

    File Access Levels

    • On access, all file types (lower performance): Active Protection will perform a scan whenever a file is touched (executed, moved, copied, loaded, etc.) on the agent machine. If the file is infected the user will be alerted before the infected file has a chance to do damage to the computer. This option applies to preset files, including EXE, INI, HLP, BAT, and others. While this provides the most complete form of protection, the trade-off is it may slow the agent machine's performance. To counteract this, enable the Limit AP scanning option.
    • Limit AP scanning to only high risk file types (higher performance): You can improve the performance of Active Protection by scanning only those file types that present the highest risk. This is a good compromise solution for those companies seeking a fairly high level of security while maintaining a reasonable level of performance. The list of high risk file types includes the following:

            

    ade

    cpl

    ex!

    inf

    mde

    pdf

    shb

    vxd

    adp

    crt

    ex#

    ini

    msc

    pif

    shs

    wmv

    asf

    dll

    ex$

    ins

    msg

    png

    swf

    wsc

    bas

    doc

    exv

    isp

    msi

    pps

    sys

    wsf

    bat

    dot

    hlp

    js

    msp

    ppt

    url

    wsh

    chm

    eml

    hta

    jse

    nt

    reg

    vb

    xls

    cmd

    exe

    htm

    lnk

    ocx

    scr

    vbe

    xlt

    com

    ex_

    html

    mdb

    pcd

    sct

    vbs

     

    • On execute: Active Protection will perform a scan only when a file is executed or a .dll file is loaded.

     

     

    Additional Information

     

    Shavlik Protect Help: Configuring Active Protection

     

    Affected Product(s)

     

    Shavlik Protect 9.x