F-Secure Ultralight Core update causes server to get dead slow. Again.

Kjell

After the update of F-Secure Ultralight Core (64-bit) 2023-11-08_01 today one of our web servers became dead slow under load. The exactly same issue was handled a few months ago here:

https://status.withsecure.com/incidents/7ljdw6xkzckd

We once again had to uninstall WithSecure Server Security to get the performance level back to normal.

Sethu Laks

Hi @Kjell

Thank you for reaching out the WithSecure Community,

We apologize for the inconvenience you are experiencing with our Ultralight engine. We have not received similar reports from other customers since the release of F-Secure Ultralight Core (64-bit) 2023-11-08_01. In order to determine the cause of the issue, please follow the steps below and let me know if it improves the performance situation:

1. Rename the following components:
   1. C:\Program Files (x86)\F-Secure\PSB\Ultralight\ulcore\169XXXXX\fsamsi32.dll to old_fsamsi32.dll
   2. C:\Program Files (x86)\F-Secure\PSB\Ultralight\ulcore\169XXXXXX\fsamsi64.dll to old_fsamsi64.dll
2. Reboot your machine (please note that since processes in the system have the AMSI loaded, they cannot be unloaded).
3. Attempt to reproduce the issue/observer the performance issue.

Lastly, could you try disabling each feature one-by-one and let me know if it alleviates the issue? Please disable the following features and observe the impact on performance:

• DeepGuard
• Real-time Scanning
• Security Cloud
• Firewall
• Browsing Protection
• Web Content Control
• Web Traffic Scanning
• Application Control
• DataGuard
• Device Control
• Software Updater

Please provide feedback on the impact of disabling each feature. This information will assist us in further troubleshooting the issue.

Thank you for your cooperation and patience. We are committed to resolving this issue for you.

Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™ https://www.withsecure.com/en/home

Kjell

Hi Sethu and thanks for your reply.

This is how the directory looks like. Should I make the change in the newer subdirectory?

Sethu Laks

Hi @Kjell

Apologies for any confusion caused. It seems that I provided the incorrect location path for Elements EPP previously. As you are using server security, the path you shared in the picture is indeed correct. As suggested earlier, please rename the two files located in the specified folder and reboot the machine to see if that solve the issue.

C:\Program Files (x86)\F-Secure\Server Security\Ultralight\ulcore\1699443382

Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™  https://www.withsecure.com/en/home

Kjell

Thanks Sethu

I'm sorry to say that renaming the files in the ulcore directory didn't solve the problem. Under load the problem reappeared.

Since this is a production server it isn't really possible to disable parts of Server Security and then wait for problems to appear. It will disturb our production way too much.
I would still like to get your view on what was done in Ultralight in the previous update a few months ago that was then rolled back roughly a week later. Has this same (for us at least) braking change been reintroduced?

Best regards,
Kjell

Sethu Laks

Hi @Kjell

Thank you for attempting the provided steps. We recommend generating the wsdiag(formerly fsdiag) logs and reaching out to WithSecure Support. By doing so, we can escalate the issue to our dedicated R&D team for further investigation. Please contact the support team, and they will assist you in this matter.

Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™ https://www.withsecure.com/en/home