In an effort of allowing a better performance for people working from home, I was trying to determine which processes were exchanging more data over the network and I found that fcag.exe is one of the leading ones.
I don't have Evidence enabled in my environment, so I was curious what sort of activities this process is handling that would be dealing with a lot of data? I was expecting a few KBs from DLP events but not GBs within few days.
Does anybody have any clue?
#Data Loss Prevention
Fcag.exe is the main logic process of DLP endpoint. there has lots of reasons that could cause fcag.exe deal with lots of data and cause high cpu/memory usage, for example mis-configured classifications, high I/O and so on.. imagine that every file read/write will be interpreted by fcag.exe for analyzing.
You can refer to some official pieces of documents for more details, for example:
Thanks for replying! My concern is actually around data traffic over the network, not CPU or RAM usage.
While I understand that, for example, if you have network related protection enabled in your environment, fcag.exe will monitor the parent process that is handling the data transfer but it shouldn't be the main one sending data over.
Let's say you're using File Explorer to paste some files on a given path. The process fcag.exe would just monitor whatever explorer.exe is dealing with but in the end, explorer.exe is the one in question performing the data copy and not fcag.exe.
My understanding is that fcag wouldn't intercede the copy process but only scan the content being sent. Am I wrong on my assumptions?
Fcag.exe will intercept the file that needs to be scanned and suspend Explorer's copy action, then the file will be sent to its Text Extractor(fcagte.exe I believe) module, Text Extractor will convert the file's content into some kind of readable content, at last fcag.exe will able to understand the file's content and send signals to Explorer to let continue copy the file or deny the copy.
About the high data traffic over the network, what I know is DLP Agent needs to periodically do some DNS query stuff, and of course the Evidence Copy is also handled by DLP Agent (you mentioned you disabled it) . besides that DLP itself seems not likely to generate much outbound traffic, most things are done on the local machine via some kind of dll hooks. not sure how you find fcag.exe is generating high traffic over the network, can you share your findings?
Thanks for the thorough explanation, it's more clear to me now :).
I'm still using the Data Usage report in Win10, which you can find under Windows Settings > Network & Internet > Data Usage > View Usage per App. I have two scenarios where both are assigned to a DLP Policy with the following ones enabled: Removable Storage Protection, Web Protection, Email Protection and Cloud Protection.
- my machine fcag had an usage of 3.4Gb within a month but it's linked to a config policy with verbose enabled (log all messages);
- a teammate's machine had 1.7Gb within a month but he's linked to a config policy with Warning and Errors only.
That MAY explain the difference between our machines but still not fully sure.
Anyway, I believe WireShark or Netmon can tell me more details but I'd need to leave it running for a while to see how it behaves over time which consequently means a huge log file in the end to be analyzed.
In general DLP debug logging(log all messages) should not be enabled as it will generate too many logs in a very short time and can heavily impact the performance. it should only be enabled for troubleshooting purposes..