cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

High Amount of Data Traffic handled by fcag.exe

In an effort of allowing a better performance for people working from home, I was trying to determine which processes were exchanging more data over the network and I found that fcag.exe is one of the leading ones.

I don't have Evidence enabled in my environment, so I was curious what sort of activities this process is handling that would be dealing with a lot of data? I was expecting a few KBs from DLP events but not GBs within few days.

Does anybody have any clue?

#Data Loss Prevention

Labels (1)
6 Replies

Re: High Amount of Data Traffic handled by fcag.exe

Fcag.exe is the main logic process of DLP endpoint. there has lots of reasons that could cause fcag.exe deal with lots of data and cause high cpu/memory usage, for example mis-configured classifications, high I/O and so on.. imagine that every file read/write will be interpreted by fcag.exe for analyzing.

You can refer to some official pieces of documents for more details, for example:

https://docs.mcafee.com/bundle/data-loss-prevention-11.0.400-product-guide-epolicy-orchestrator/page...

 

Highlighted

Re: High Amount of Data Traffic handled by fcag.exe

Thanks for replying! My concern is actually around data traffic over the network, not CPU or RAM usage.

While I understand that, for example, if you have network related protection enabled in your environment, fcag.exe will monitor the parent process that is handling the data transfer but it shouldn't be the main one sending data over.

Let's say you're using File Explorer to paste some files on a given path. The process fcag.exe would just monitor whatever explorer.exe is dealing with but in the end, explorer.exe is the one in question performing the data copy and not fcag.exe.

My understanding is that fcag wouldn't intercede the copy process but only scan the content being sent. Am I wrong on my assumptions?

Highlighted

Re: High Amount of Data Traffic handled by fcag.exe

Fcag.exe will intercept the file that needs to be scanned and suspend Explorer's copy action, then the file will be sent to its Text Extractor(fcagte.exe I believe) module, Text Extractor will convert the file's content into some kind of readable content, at last fcag.exe will able to understand the file's content and send signals to Explorer to let continue copy the file or deny the copy.

 

About the high data traffic over the network, what I know is DLP Agent needs to periodically do some DNS query stuff, and of course the Evidence Copy is also handled by DLP Agent (you mentioned you disabled it) . besides that DLP itself seems not likely to generate much outbound traffic, most things are done on the local machine via some kind of dll hooks. not sure how you find fcag.exe is generating high traffic over the network, can you share your findings?

Highlighted

Re: High Amount of Data Traffic handled by fcag.exe

Thanks for the thorough explanation, it's more clear to me now :).

I'm still using the Data Usage report in Win10, which you can find under Windows Settings > Network & Internet > Data Usage > View Usage per App. I have two scenarios where both are assigned to a DLP Policy with the following ones enabled: Removable Storage Protection, Web Protection, Email Protection and Cloud Protection.

- my machine fcag had an usage of 3.4Gb within a month but it's linked to a config policy with verbose enabled (log all messages);

- a teammate's machine had 1.7Gb within a month but he's linked to a config policy with Warning and Errors only.

That MAY explain the difference between our machines but still not fully sure.

Anyway, I believe WireShark or Netmon can tell me more details but I'd need to leave it running for a while to see how it behaves over time which consequently means a huge log file in the end to be analyzed. 

Highlighted

Re: High Amount of Data Traffic handled by fcag.exe

In general DLP debug logging(log all messages) should not be enabled as it will generate too many logs in a very short time and can heavily impact the performance. it should only be enabled for troubleshooting purposes..

Highlighted

Re: High Amount of Data Traffic handled by fcag.exe

Yeah, I'm no longer on that policy as I was troubleshooting another issue which was included on the timeframe I had the report showing the 3.4Gb
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community