Symantec IGA

  • Private Community
 View Only

 IGA Virt Appliance: Demonstrating AV and Anti-Malware Performance Bottleneck on Connector Server

Muzi Lubisi (CA SA)'s profile image
Muzi Lubisi (CA SA) posted Feb 05, 2025 01:27 AM

Good morning

I hope you are all well.

I'm facing a scenario where Trend AM and Deep scan AV is active on a machine running Connector Server, while Windows Defender AV & AM are also running. After a server reboot and relaunch of vApp services, system resources are consumed to a point where the server response is non-existent. When an Explore/Correlate task is triggered, the scanners will bounce between 5% and 20% CPU. The C++ CS will sit between 20% and 30% CPU usage (most likely compounded by a scan on the target server, a Domain Controller). This also impacts MS SQL, where the memory will begin to climb to the maximum allowed (Server has 32GB, MSSQL is allocated 16GB). We also see that once the memory has reached it's maximum, it does not release/come down until the service is fully stopped, and restarted after a minute or two.

Although we have had session to review these activities and it has been noted that they happen as described, we need definitive proof that the issue is coming from the issue stems from the two pieces of software (Trend and Windows Defender). Can you please suggest the best way and sources to collect the necessary information to demonstrate the impact to present to a management level? 

Regards,
Muzi Lubisi

Michael Niebuhr's profile image
Broadcom Employee Michael Niebuhr posted Feb 06, 2025 09:57 AM

It sounds like all communication being made by Connector Server, both in from Provisioning Server, and out to the Endpoints is being scanned as it performs its work. 



The simplest test would be to disable these third party tools and see if the same issue occurs.   

If connector server acts the the same way with these scanning software components shut down then Support should review what is occurring.   

If the issue disappears, youll need to work with your security teams to exclude Connector Server from the scanning process. 



Michael Niebuhr
Broadcom Support

Alan Baugher's profile image
Alan Baugher posted Feb 28, 2025 03:57 PM

Muzi,

This issue sound very similar to cases we had at other sites.   

Performance enhancements may be added to the Connector Server to avoid these challenges.

There is a section about anti-virus scanning in the connector guideline.

Performance Tuning for Provisioning

The section mentioned provisioning when the IMPS component was installed on MS Windows.    

You can treat the JCS/CCS on MS Windows to be in this mode.
Refine the exclusions to the installation folder for the JCS and the embedded CCS service.

Focus on Antivirus Exclusions (Windows only)
On all the Connector/Provisioning Servers, ensure that the antivirus will not scan the following directories and processes.

Folders
<CA_IdentityManager_Install_DIR>\Connector Server\jcs\logs
<CA_IdentityManager_Install_DIR>\Connector Server\ccs\logs

Processes:
<CA_IdentityManager_Install_DIR>\Connector Server\ccs\bin\im_ccs.exe
<CA_IdentityManager_Install_DIR>\Connector Server\bin\jcs.exe


Good luck.