Your computer significantly slows down after you enable the Active Response File Hashing option

Your computer significantly slows down after you enable the Active Response File Hashing option

Environment

McAfee Active Response (MAR) 2.x

Problem

You enable the MAR File Hashing option on one of your clients, and it experiences a significant slowdown in operation and performance. 
When you investigate, you see the MARService.exe process is performing many I/O operations, consuming a large amount of CPU capacity. 

Cause

There are large files present on the client that require resources to complete file hashing.
 

Solution

To identify the files causing this issue, run the process monitor: 
  1. Download the Process Monitor (ProcMon).
    For documentation and downloads, see KB72766
     
  2. Extract the downloaded files to a clean directory using WinZip or other file extraction utility.
     
  3. Start ProcMon.exe.
  4. Click the Filter tab, and Select Filter [shortcut CTRL + L].
     
  5. Select the Process Name from the list
    Process Name: "MARService.exe
     
  6. Reproduce the issue and gather the Process Monitor information.
  7. View the Process Monitor output and identify the files that cause the issue.

This issue is usually caused by the files in the Windows temp folder (Windows\Temp\), named etilqs_xxxxxxx.
For example:
C:\Windows\Temp\etilqs_rQSWlVrlcI1hgdj
C:\Windows\Temp\etilqs_cFnYmISbHnsamND
C:\Windows\Temp\etilqs_kRwuK3GXKcKWXcW
C:\Windows\Temp\etilqs_BPahUQfpbJGcY9W

The etilqs files are used in Windows to store TEMP tables, manifested views, automatic indexes, and temporary storage for sorting operations. When these files are disabled, the equivalent information is held in RAM instead.

To resolve this issue, exclude the files listed in Policy Monitor, in your policy: 

IMPORTANT: As a best practice, McAfee recommends that you duplicate the policy you want to edit and make your proposed changes to the duplicate.
Then test your changes by applying the duplicate policy to a test client before changing your main policy.
  1. Select Policy CatalogActive Response.
  2. Select the policy to edit.
  3. Click the File Hashing tab.
     
  4. Under category Ignore Paths on Windows, add the path to the files listed in the Process Monitor output that caused the issue.
    For example: C:\Windows\Temp\etilqs_BPahUQfpbJGcY9W

    NOTE:
    • You can use an asterisk to exclude the complete directory tree: 
      C:\Windows\Temp\*.*
    • When you have multiple exclusions configured, you must use a semicolon (;) as a separator.
       
  5. Apply the changes to the policy and apply it as required.

NOTE: You can view the exclusions are applied by enabling debug logging for the MAR client and viewing the marlog.log file:
2018-01-12 14:31:07        8808     DEBUG            Plugin [0] -> Excluding C:/USERS/*/APPDATA/LOCAL/MICROSOFT/WINDOWS/TEMPORARY Internet FILES/CONTENT.IE5
2018-01-12 14:31:07        8808     DEBUG            Plugin [0] -> Excluding C:/USERS/*/APPDATA/LOCAL/MICROSOFT/WINDOWS/TEMPORARY INTERNET FILES/CONTENT.MSO
2018-01-12 14:31:07        8808     DEBUG            Plugin [0] -> Excluding C:/USERS/*/APPDATA/LOCAL/MICROSOFT/WINDOWS/WER/REPORTQUEUE
2018-01-12 14:31:07        8808     DEBUG            Plugin [0] -> Excluding C:/WINDOWS/TEMP/ETILQS_*
2018-01-12 14:31:07        8808     DEBUG            Plugin [0] -> Excluding C:\Windows\Temp\etilqs_BPahUQfpbJGcY9W

Rate this document

    

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.