locked
My FoxPro application performance is very slow if FCS is enable RRS feed

  • Question

  • Friends,

    I have the following problem on my FCS work environment:
     
    Scenario:
    Office\Desktop users with Windows Windows XP Professional SP3 with the FCS v1.5.1958.0.
    Network: 1GB RAM: 1GB Disk: 160GB CPU: Intel Dual Corre 3.0GBH 2MB cache

    Problem:
    If FCS services is enabled when the FoxPro application performance is very slow.

    Symptom:
    This problem occurs only with the application of FOX, the rest of the programs are working properly. The FOX application and database is stored in a powerful file server with Windows Server 2008 Standar 32bits. The network users access through a share on the network mapped to logical drive in X:\. The .exe of win32 app and .dbf of FOX database is stored in the file server. The station is only a shortcut to the .exe on file server. I'm sure the problem is client side.

    Requirements:
    Proper functioning of my FoxPro application.

    Actions taken:
    In the file server FCS
    I created exclusions for files and folders. (D:\FoxApp\*.*)
    I created exclusions for File extension. (.dbf, .cdx, .fpt, .frx)
    I created exclusions for app process executable. (myfoxapp.exe)


    In client computer FCS
    I created exclusions for files and folders through policies. (X:\FoxApp)
    I created exclusions for File extension through policies. (.dbf, .cdx, .fpt, .frx)
    I can´t add network location for this exclusions

    Thanks for the help they can provide...

    Thursday, March 5, 2009 8:26 PM

All replies

  • Try locally on the client creating an exclusion for the process from wherever your users normally launch it and then test launching it and using the app after that.  Unfortunately you can't currently create process exclusions via FCS policies but I have a .adm template example that I could give you that you could use for a GPO if needed and the process exclusion works.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Thursday, March 5, 2009 8:34 PM
  •  
    Excellent, Kurt.

    I can´t  create locally in FCS the exclusion for the process because this is on a network share on file server "FCS apparently does not support network drives" for this feature. Remember the client runs the FOX application from a shortcut on the desktop, all files .exe and .dbf is store in my file server.

    Send by mail the ADM template.

    Any ideas?

    Thanks
    Thursday, March 5, 2009 8:46 PM
  • I'm not sure if this will work but try opening the registry and at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes create a reg_dword key pointed to the path that your shortcut points to and try testing that to see if it might work.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Thursday, March 5, 2009 8:59 PM
  • Ok,
     
    Working ...

    You notice at a time my results.

    Thanks,
    Thursday, March 5, 2009 9:02 PM
  • you might want to try the network path folder at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Paths as well Reg-dword value as well.. This is on the client
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Thursday, March 5, 2009 9:10 PM
  • Not work.

    My locally exclusion is:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes

    add valor reg_dword = 0

    X:\FoxApp\myfoxapp.exe (Where X:\ is the share on the network)

    Results:
    FCS services enable = FOX application is very slow
    FCS services disable = FOX application is very high speed

    Any ideas?
    Thursday, March 5, 2009 9:41 PM
  • Ok, Kurt

    I have good news.

    I finally my FOX application function normally.

    What do you think of this:

    I created a locally exclusion:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions

    \Extensions
    EXE ---> (It is dangerous to put this extension? Increases the security risk?)

    \Paths
    X:\FoxApp (Where X:\ is the share on the network)

    Results:
    FCS services enable = FOX application is very high speed
    FCS services disable = FOX application is very high speed


    NOTE:
    To work in this configuration the client FCS these options must be enabled:
    - Only administrators can change the configuration...
    - Allow users to add exclusions and...

    (In my case, this setting not is based on policy by domain GPOs if not for local machine on the registry)

    I hope your comments

    Thanks
    Thursday, March 5, 2009 10:52 PM
  • Hello Carlos,

    Setting an extension exclusion for 'exe' is an extremely high security risk and strongly recommended against.  This will effectively cause FCS to no longer scan any files with an .exe extension.

    A couple of thoughts:
    - FCS scan files in two capacities: during scans and via realtime(on access) protection(RTP).  There is no mention of you initiating scans so sounds like we are primarily concerned with RTP.

    - Mapped drives are a user-centric configuration.  That is, an X drive for Carlos may be mapped to \\server\share while for Mary X: is mapped to \\server2\share2, or no drive at all.  The FCS scanning process runs as LocalSystem so it doesn't see file access to X: it just sees requests for the network resource.
    You may be able to find relief for this by adding the full network share to a path exclusion(e.g. \\server\share).

    - What is the input/output pattern of your application?  Applications which following an I/O pattern of "open, modify, close, open, modify, close" will experience more scanning than those which with an I/O pattern of "open, modify, modify, modify, close". 

    - FCS has a caching mechanism to determine where it has already scanned a particular file since it has been modified, the service restarted, or a definition update.  However, this mechanism does not work with network files.

    - if you run Process Monitor from http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx you can see which files FCS is scanning, how frequently and what process is triggering that scan.  Alternatively, you can contact Microsoft support who can gather lowlevel FCS tracing to gather the this information and more.

    Hope this helps,
    Craig Wiand
    Microsoft Forefront Client Security Escalation Engineer
    Forefront Client Security Support
    • Proposed as answer by MrAndersMVP Wednesday, December 22, 2010 4:38 PM
    Thursday, March 5, 2009 11:18 PM