Issue:
When an WithSecure endpoint product is installed on a computer or server, there is high CPU or memory (RAM) usage and applications are experiencing performance issues. The connectivity of some applications can also be slow or blocked completely.
Issue affects all WithSecure clients:
- Elements Endpoint Protection EPP for Computers
- Elements Endpoint Protection EPP for Servers
- Business Suite Client Security
- Business Suite Server Security
- Business Suite Email and Server Security
Resolution:
Performance issues can for example be the result of:
- Connectivity issues to the Security Cloud
- Misconfigured Application Control
- Web Traffic scanning
- A scheduled scan is running
Connectivity issues to the Security Cloud
What is Security Cloud?
When Security Cloud is enabled on WithSecure endpoint products, it connects to WithSecure Backend to check reputation and other objects. WithSecure endpoint products have database updates which can detect the malware without connection to cloud, but, to check the reputation we need the cloud connection. There is a local cache, but the reputation is checked first using Security Cloud, since it has the latest information.
When you enable Security Cloud, you need to make sure that the endpoints can communicate to Security Cloud:
- *.withsecure.com
- *.fsapi.com
Note: The domains mentioned above needs to be whitelisted to your firewall or proxy. In case you have enabled some proxy in your environment, the client reads it via discovery service and tries to connect to *.fsapi.com through it.
To test the connectivity, use WithSecure Connectivity Tool, which is available in the installation folders of Elements Endpoint Protection (EPP for Computers and EPP for Servers), Business Client Security and Business Suite Server Security. With the tool you can view the list of addresses the product connects to and check the connectivity towards them.
The tool is located in the following folder:
- Client Security: C:\Program Files (x86)\F-Secure\Client Security\ui\fsconnectionchecker.exe
- Server Security: C:\Program Files (x86)\F-Secure\Server Security\ui\fsconnectionchecker.exe
- Elements EPP for Computers/Elements EPP for Servers: C:\Program Files (x86)\F-Secure\PSB\ui\wsconnectionchecker.exe
Misconfigured Application Control
If you have a premium subscription of Business Suite or Elements Endpoint Protection, it will include the Application Control feature.
If the product is using high amounts of CPU performance, make sure you have not set the Application Control Global rule as Allow and monitor all applications. This setting should be used only during testing to find out which applications need exclusion rules, since it will affect the performance of devices.
Also make sure that you have not created Application control exclusion rules which only include a SHA1/SHA256 as a condition, since the calculation of the SHA1/SHA256 will require some CPU performance. Instead, we recommend using other conditions (such as the target path, etc.) in conjunction with the file hash condition.
Web Traffic Scanning
If you are experiencing performance issues with network based applications, which communicate over HTTP to an internal server, it could be that Web Traffic Scanning (Advanced Network Protection) is causing the issue. Try to temporarily disable Web Traffic Scanning to confirm if the issue is caused by it. If issue was caused by Web Traffic Scanning, you can add the internal servers address and hostname to the Allowed sites list so that the communication between the clients and the internal server is not checked.
In order to troubleshoot further what part of the product is causing the slow down, try disabling security features one by one:
- DeepGuard
- Real-time Scanning
- Firewall
- Browsing Protection
- Web Content Control
- Web Traffic Scanning
- Application Control
- DataGuard
- Device Control
- Software Updater
Which process is being slowed down, and how is it visible? eg. - fshoster process taking up high CPU usage?
A Scheduled scan is running:
Make sure that a scheduled scan is not currently running, since a running scheduled scan will use a lot of CPU and memory resources depending on the chosen settings. You can from the Windows Task Manager's Details tab check if fsscan.exe is running. If fsscan.exe is running, either a scheduled scan or a manual scan is currently being run.
Article no: 000030468