This article helps identify and configure EDR exclusions. Follow the steps in this article if you experience performance issues or third-party application issues with the MVISION EDR client.
You see the following performance issues:
- High CPU/Memory on mfemvedr.exe
- Performance issues with third-party applications when MVISION EDR is installed
Below are some identifications of issues encountered:
- The system is slower than normal when it accesses applications.
- The Windows task manager shows high CPU consumption or high memory consumption on MVEDR.exe.
- Third-party applications are blocked from starting with MVISION EDR installed.
Follow the steps below to troubleshoot and resolve the EDR client performance issues:
-
Isolate the plug-in:
-
Open and edit your assigned EDR policy in ePO server (Menu, Policy Catalog).
-
Disable each plug-in one by one (for example, file hashing, trace, network) by deselecting the appropriate plug-in section in each tab of the policy below:
NOTE: You might need to reboot the system after disabling plug-ins to make sure that process is stopped completely depending on if it’s a service or not.
- Enable debug logging. See KB94346 - How to enable debug logging for MVISION EDR.
- Disable the Enable data folder protection to view the database files for the most prevalent files or activities.
- Re-enable the plug-in that is causing the performance issue and wait for the issue to repeat.
- When the issue reoccurs:
- Collect the MER files from the system that is experiencing the issue to collect all logs and database files for your Service Request.
- Make sure to go back and disable Debug logging by reverting the changes you made in step 2, after you’ve reproduced the issue and collected the data.
- Open a Service Request with Technical Support to analyze the data if you don’t want to troubleshoot using the steps below.
Troubleshoot performance issues after initial data collection:
NOTE: Perform the steps below with the data you collected in the procedure above.
If the issue is with the file hashing plug-in:
To understand how to exclude the most used folders from file hashing, continue looking at the database policies:
- Download or Install SQLite on the system from SQLite.
- Extract the file_hash.db from your MER to your system to where SQLite is installed. In MER, the saved file is located in <MER NAME>\0\FILE_MAR_LocalDb
- Launch SQLite, click Databases, and then click Add a database.
- Select the File_hash.db file that you extracted from step 2.
- Query the File_Hash.db using the below queries:
For a list of most used folders (to find exclusions for "Ignore paths on windows" in EDR policy assigned to system):
SELECT dir, count(*) as amount FROM files GROUP BY dir ORDER BY amount DESC LIMIT 20;
For most used file extensions (exclusions for "Ignore extensions on windows" in EDR policy assigned to machine):
SELECT replace(name, rtrim(name, replace(name, '.', '')), '') as extension, count(*) as amount FROM files GROUP BY extension ORDER BY amount DESC LIMIT 20;
- Identify the most used folders or your application location. Add the complete folder path to the end of "Ignore Paths on Windows" to the file hashing policy configuration tab of your assigned EDR Policy in ePO.
- Restart your system or Disable and Re-enable the file hashing plug-in to pick up the change.
- After you complete the above steps, reproduce your performance issue to see if your issue is solved.
- If issue still occurs after adding the exclusions, open a Service Request with Technical Support and upload the requested MER collected above.
NOTE: Any files that are hashed before an exclusion were put in place, display file_hash.db until it’s rebuilt or rolled over.
- If you need to clear out old hashes, or to completely rebuild the file_hash.db due to large file size, remove, and reinstall EDR from ePO server task or Add/Remove programs.
If the Trace plug-in caused the performance issue:
- Extract the trace.log from your MER to your system for analysis. In MER, the saved file is located in <MER NAME>\\0\FILE_MVEDRDataDir
- Open trace.log in notepad++.
- Press Ctrl+F (open the find window).
- Switch Search Mode to RegEx (the option at the bottom of the search window).
- In the Find What search bar: Enter TResult(1)..*$ and click Find All in Current Document.
- In the search results at the bottom of the Notepad++ screen, Select All and copy.
- Open a new document and paste the copied result.
- Add the top trace count path or your application file/path to your EDR General assigned policy under the section "Ignored Process full path" of the Trace tab.
- Apply policy to the system.
- Close and relaunch the process.
If you need to open a Service Request with Technical Support to help identify the process/files to be excluded in your trace policy, document the following in your Service Request:
Did you stop and start the process after you excluded it from EDR? If you have, you tried to exclude the main process of your application in “Ignored Process full path” of your policy.
Report the following in your Service Request:
- Time and length of issue.
- Behavior and Error message displayed.
- Name of application.
- Location of Application.
If you want to continue looking at the database policies before you open a Service Request with Technical Support to understand what to exclude from Trace.db:
- Download or Install SQLite on the system from SQLite.
- Copy this file to another location where you have SQLite installed or extracts from your MER from the previous steps. In MER, the saved file is located in <MER NAME>\0\FILE_MAR_LocalDb
- Launch SQLite, click Databases, and then click Add a database.
- Select the Trace.db file you extracted above.
- Query the Trace.db using below query:
To view the files of traces being sent that is over 100 MB, run the below query:
SELECT id, parent_id, trace_id, status, data FROM data WHERE data RegEXP '"size":[0-9]{7,}'
- When the application path or the most traced file from the database is identified, exclude the main process of your application in "Ignored Process full path" of your policy.
- Apply your policy.
- Stop and restart the application to confirm if issue doesn't appear.
If the Network plug-in caused the issue:
- Create a Service Request with Debug Logging and collect database files with the issue reproduced.
- Explain the application name and behavior with any errors or messages that you see when the network plug-in is enabled.
