Purpose
This document is intended to provide information about the expected behavior for active protection concerning files or folders listed in the exceptions list within an agent policy, and how to address possible performance issues with active protection.
Symptoms
You see that STThreat.exe is using memory or processor in Task Manager, and you notice that files listed within the exceptions list of your agent policy are being scanned by the Shavlik Protect Agent active protection.
Cause
This is working as designed. Whenever a file meets the active protection requirements to be checked (based on 'File access' settings in the agent policy > Threat > Active Protection), it must determine if further analysis needs to take place. STThreat.exe will always run when the File access requirement is met on the system.
Images for reference:
Example of a file exception set up in the agent policy for "test.exe".
Example of Active Protection File access settings within the agent policy.
So even though the files are excluded based on policy settings, the active protection process still needs to run something to determine if further action needs to take place. If the files are excluded, no further action beyond a preliminary check by active protect will take place.
Note: A Threat Scan (Set up via Threat Tasks tab of agent policy) will not scan exceptions at all.
Resolution
If you feel that this is for some reason causing a performance hit on your machine(s), you can modify the active protection settings so that files are only seen by active protection when executed, rather than on access. This will reduce the number of files active protection will scan and provide an increase in performance.
Example of setting active protection to 'On execute' access.
Before making this change you should consider the level of active protection that you want vs. how much performance hit is actually taking place. Refer to the following information from the Shavlik Protect Help documentation:
File Access Levels
- On access, all file types (lower performance): Active Protection will perform a scan whenever a file is touched (executed, moved, copied, loaded, etc.) on the agent machine. If the file is infected the user will be alerted before the infected file has a chance to do damage to the computer. This option applies to preset files, including EXE, INI, HLP, BAT, and others. While this provides the most complete form of protection, the trade-off is it may slow the agent machine's performance. To counteract this, enable the Limit AP scanning option.
- Limit AP scanning to only high risk file types (higher performance): You can improve the performance of Active Protection by scanning only those file types that present the highest risk. This is a good compromise solution for those companies seeking a fairly high level of security while maintaining a reasonable level of performance. The list of high risk file types includes the following:
ade | cpl | ex! | inf | mde | shb | vxd | |
adp | crt | ex# | ini | msc | pif | shs | wmv |
asf | dll | ex$ | ins | msg | png | swf | wsc |
bas | doc | exv | isp | msi | pps | sys | wsf |
bat | dot | hlp | js | msp | ppt | url | wsh |
chm | eml | hta | jse | nt | reg | vb | xls |
cmd | exe | htm | lnk | ocx | scr | vbe | xlt |
com | ex_ | html | mdb | pcd | sct | vbs |
|
- On execute: Active Protection will perform a scan only when a file is executed or a .dll file is loaded.
Additional Information
Shavlik Protect Help: Configuring Active Protection
Affected Product(s)
Shavlik Protect 9.x