0

High network/disk usage with uberAgent 6.0

Hi uberAgent team,

I have a small POC environment with uberAgent on Citrix VDI (using Provisioning Services). Everything worked just fine on uberAgent 5.3.1.

When I moved to uberAgent 6.0 (a brand new OS deployment, no traces of previous uberAgent versions) I got a problem regarding high disk/network usage:

1) A user logs on as usual. The uberAgent service is running.

2) A user launches some application - Outlook, Chrome etc.

3) In a few seconds the System process (PID 4) begins to utilize disk and network up to 10-15 Mbytes/s.

4) The disk queue increases to 3-5, disk latency - to 2000 ms.

5) After stopping UberAgentSvc all the values goes back to normal in a few seconds as well.

Perhaps the source of the strange System's behaviour is filter drivers - uberAgentNetMon.sys and uberAgentDrv.sys. I have noticed in Procexp that uberAgentDrv.sys has about 10000-15000 Context Switches. Not sure is this OK or not.

3 comments

  • Avatar
    Timm Brochhaus Official comment

    Hi Evgeny, 

    It seems that your observation is related to a known issue in uberAgent version 6.0. The agent can collect file hashes as part of the new product uberAgent ESA in the current version.
    Unfortunately, this hash calculation feature is enabled by default, resulting in a potential higher CPU load. A fix will be part of uberAgent 6.1.

    In the meantime, could you please try the following by modifying the uberAgent configuration?

    Enable uberAgent ESA

    [ProductComponents]
    EnableESA = true

    Disable the hash calculation

    [ProcessStartupSettings]
    EnableCalculateHash = false

    After applying these changes, you have to restart the uberAgent service. The system load should be much lower then. Please feel free to share your findings with us.

    This issue is also listed as known in the changelog and release notes.

  • 0
    Avatar
    Evgeny Rzhavin

    Hi Timm,

    Thank you for the quick answer.

    I have tried disabling the hash calculation. It seems this modified setting solves the problem!

    Is there any way to disable it via GPO (ADMX or some registry keys)? Or can I create a small configuration file (just two settings) and use "Additional configuration file"?

  • 0
    Avatar
    Timm Brochhaus

    Hi Evgeny, 

    That's good news. As mentioned, a fix is part of the next upcoming uberAgent version. 

    And yes, you could apply the workaround via Group Policy. You will find more information here.The settings are located in Computer Configuration > Policies > Administrative Templates > uberAgent > ESA

    Enable Endpoint Security Analytics = Enabled
    PE hashing: enable = Disabled
Please sign in to leave a comment.