Appendix 1. Resource consumption optimization

When scanning objects, Kaspersky Embedded Systems Security uses CPU resources, disk subsystem input/output, and RAM.

To view the resource consumption by the application, execute the following command:

top -bn1|grep kess

The command must be executed when the system is loaded.

The command output shows the amount of used memory and processor time:

651 root 20 0 3014172 2.302g 154360 S 120.0 30.0 0:32.80 kess

Column 6 displays the amount of resident memory – 2.302g.

Column 9 displays the percentage of the processor cores usage – 120.0, where each core is represented by 100 percent. Thus, 120% means that one core is fully used, and the other is used at 20%.

If, while scanning objects, Kaspersky Embedded Systems Security critically slows down the system, the application must be configured to optimize system resource consumption.

Determining the task that consumes resources

To determine which application tasks are consuming system resources, it is necessary to distinguish the resource consumption of File Threat Protection tasks (OAS type) and On-demand Scan tasks (ODS and ContainerScan types).

If the application is managed by Kaspersky Security Center policy, it is required to allow local task management for the period of the study.

File Threat Protection task operation analysis

To analyze the operation of the File Threat Protection task:

1. Stop all scan and monitoring tasks.
2. Make sure that the on-demand scan tasks will not run during the scan or have no schedule. You can do it using Kaspersky Security Center or locally by doing the following steps:
   1. Get the list of all application tasks by executing the following command:

      kess-control --get-task-list

   2. Get the schedule settings for the Malware Scan task by executing the following command:

      kess-control --get-schedule <task ID>

      If the command output is RuleType=Manual, the task can only be started manually.

   3. Get the schedule settings for all your Malware Scan and Custom Scan tasks, if any, and set them to start manually by executing the following command:

      kess-control --set-schedule <task ID> RuleType=Manual

3. Enable generation of application trace files with a high level of details by executing the following command:

   kess-control --set-app-settings TraceLevel=Detailed

4. Start the File Threat Protection task if it has not been started by executing the following command:

   kess-control --start-task 1

5. Load the system in the mode that caused the performance problems; a few hours is enough.

   While being loaded, the application writes a lot of information to the trace files; however only 5 files of 500 MB are stored by default, so the old information will be overwritten. If the problems with performance and resource consumption stop occurring, then they are most likely caused by on-demand scan tasks and you can proceed to analyzing the operation of ContainerScan and ODS scan tasks.

6. Disable creation of the application trace files by executing the following command:

   kess-control --set-app-settings TraceLevel=None

7. Determine the list of objects that have been scanned the most times by running the following command:

   fgrep 'AVP ENTER' /var/log/kaspersky/kess/kess.* | awk '{print $8}' | sort | uniq -c | sort -k1 -n -r|less

   The result is loaded into less, a text viewer utility, where the objects that have been scanned the most times are displayed first.

8. Determine whether the objects scanned the most number of times are dangerous. In case of any difficulties, contact Technical Support.

   For example, directories and log files can be considered safe if a trusted process writes to them, database files can also be considered safe.

9. Write down the paths to the objects that are safe, in your opinion; the paths will be required to configure exclusions from the scan scope.
10. If various services frequently write data to files in the system, such files are scanned again in the pending queue. Determine the list of paths that have been scanned the most times in the pending queue by running the following command:

    fgrep 'SYSCALL' /var/log/kaspersky/kess/kess.* | fgrep 'KLIF_ACTION_CLOSE_MODIFY' | awk '{print $9}' | sort | uniq -c | sort -k1 -n -r

    The files that were scanned the most times will appear at the beginning of the list.

11. If the counter for a file exceeds several thousands in a few hours, you should check whether you can trust this file in order to exclude it from scan.

    The logic of to determine it is the same as for the previous study (see step 8): log files can be considered safe, since they cannot be launched.

12. Even if some files are excluded from scan by the Real-time protection task, they can still be intercepted by the application. If excluding certain files from Real-time protection does not result in significant increase of performance, you can completely exclude the mount point where these files are located from the interception scope of the application. To do so, do the following:
    1. Run the following command to get the list of files intercepted by the application:

       grep 'FACACHE.*needs' /var/log/kaspersky/kess/kess.* | awk '{print $9}' | sort | uniq -c | sort -k1 -n -r

    2. Using this list, determine the paths used for most of the file operation interceptions and configure interception exceptions.

On-demand Scan tasks operation analysis

Tasks of the ODS and ContainerScan types can also cause significant resource consumption. Follow these recommendations for the tasks of ODS type:

• Make sure that several on-demand scan tasks are not running at the same time. The application allows for operation in this mode, but resource consumption can significantly increase. Check the schedule of all tasks of the ODS and ContainerScan types locally (as described for the File Threat Protection task) or using Kaspersky Security Center.
• Run the scan during the minimum server load.
• Make sure that there are no mounted remote resources (SMB/NFS) at the specified scan path. If a remote resource scan task cannot be performed directly on the server that provides the resource, do not perform the resource scan on servers with critical services, as execution of this task can take a long time (depending on the connection speed and the number of files).
• Optimize the settings of the on-demand scan task before start.

Page top

Configuring the File Threat Protection task

If, after analysis of the File Threat Protection task's operation, you have created a list of directories and files that can be excluded from the scan scope, you need to add them to the exclusions.

Scan exclusions

To exclude the /tmp/logs directory and all subdirectories and files recursively, execute the following command:

kess-control --set-settings 1 --add-exclusion /tmp/logs

To exclude a specific file or files by mask in the /tmp/logs directory, execute the following command:

kess-control --set-settings 1 --add-exclusion /tmp/logs/*.log

To exclude all files with the .log extension in the /tmp/ directory and subdirectories using a recursive mask, execute the following command:

kess-control --set-settings 1 --add-exclusion /tmp/**/*.log

Interception exclusions

If you want to exclude files in a certain directory not only from scan, but also from interception, you can exclude the entire mount point.

To exclude an entire mount point:

1. If the directory is not a mount point, create a mount point from it. For example, to create a mount point from the /tmp directory, execute the following command:

   mount --bind /tmp/ /tmp

2. To keep the mount point after the server reboot, add the following line to the /etc/fstab file:

   /tmp /tmp none defaults,bind 0 0

3. Add the /tmp directory to the global exceptions by executing the following command:

   kess-control --set-app-settings ExcludedMountPoint.item_0000=/tmp

4. If you want to add several directories, increase the item_0000 counter by one (item_0001, item_0002, and so on).

It is also recommended to exclude mount points that are mounted remote resources with unstable or slow connection.

Changing scan type

By default, the File Threat Protection task can scan files when they are opened or closed. If analysis of the File Threats Protection task's operation shows that too many files are being written, you can change the task mode to make it run only when files are opened; to do so, run the following command:

kess-control --set-set 1 ScanByAccessType=Open

In this operation mode, changes made to the file after it is opened are not scanned until the next opening of the file.

Configuring the On-demand Scan task

On-demand ODS and ContainerScan tasks are configured in the same way as configuring scan exclusions for the File Threat Protection task. However, the setting for excluding mount points does not apply to on-demand ODS and ContainerScan tasks.

Scan exclusion settings for one scan task do not affect other scan tasks. Exclusions must be configured separately for each scan task.

Configuring priority

The on-demand scan tasks have the ScanPriority setting, which allows you to specify how the application allocates system resources for running tasks.

Available values:

• Idle – no more than 10% load on one processor (regardless of whether it is busy or not).
• Normal – 50% load on all available processors.
• High – without limitations.

Limitations on the processor load also reduce resource consumption by the disk subsystem input/output.

To specify the Idle priority for a task, execute the following command:

kess-control --set-settings <task ID> ScanPriority=Idle

Setting the memory usage limits when unpacking archives

The on-demand scan task uses RAM to unpack archives when scanning the archives recursively. By default, the application's limit is 40% of all available RAM, but not less than 2 GB. Therefore, if the system has more than 5 GB of RAM, you can manually set the memory usage limit. This is especially useful for the servers that have hundreds of gigabytes of RAM.

To specify a limit on memory use when scanning:

1. Stop Kaspersky Embedded Systems Security.
2. Open the /var/opt/kaspersky/kess/common/kess.ini file for editing.
3. Add the ScanMemoryLimit setting with the required value (for example, 8192) to the [General] section:

   ScanMemoryLimit=8192

4. Start Kaspersky Embedded Systems Security.

The ScanMemoryLimit setting limits the amount of memory used when scanning files, but not the total amount of memory used by the application. So, the total amount of memory can be greater than the value specified by this setting.

Page top