SCSP High Memory Usage by IDS and Possible Missing IDS Events

Article:TECH198658  |  Created: 2012-10-19  |  Updated: 2013-03-22  |  Article URL http://www.symantec.com/docs/TECH198658
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Issue



The UNIX and Linux SCSP agents, prior to the 5.2.9 MP1 release, may experience the followoing issues:

  • High memory usage by IDS file watch due to unnecessarily monitoring files not matching a policy.
  • Possible missing IDS file watch events (false negative)

Environment



Affected Operating systems: All UNIX and Linux
Affected Symantec Critical System Protection versions: All 5.2.x (5.2 RUx).


Cause



Conditions for high memory usage to occur (All conditions below must exist)

  • A File Watch rule containing a wildcard in select string for file name such as “/var/www/*.html” where the wildcard and a portion of file name are both present in the file watch select string. 
    NOTE: use of wildcard for the entire file name such as “/var/www/*”  would not cause high memory usage.
  • New files are frequently added to a monitored folder (e.g., “/var/www/” in the above example) after the IDS File Watch policy is applied.  

Conditions for missing IDS file watch events: (All conditions below must exist)

  • File Watch rule containing wildcard in select string in file name such as “/var/www/*.html” where the wildcard and portion of file name both are present in the file watch select string.   
  • File Watch rule has search depth (number of subdirectory levels to monitor) greater than 1.
  • More than one subdirectory in any directory below the directory being monitored, up to the search depth set.
    For example, for select string “/var/www/*.html”, presences of subdirectories “/var/www/sales” and “/var/www/marketing”.  If the search depth was set to 2, then if either sales/ or marketing/ had more than a single subdirectory, they would also be susceptible to the error.
     

 


Solution



This issue is fixed in 5.2 RU9 MP1.    Please use the latest build of the SCSP agent to obtain this fix.

If upgrading to the latest build is not possible, submit a support ticket and a TSE will determine if a hotfix is available.

 

 




Article URL http://www.symantec.com/docs/TECH198658


Terms of use for this information are found in Legal Notices