cancel
Showing results for 
Search instead for 
Did you mean: 

fcag.exe is stuck at 99% CPU

I'm new to HDLP and we're running into a problem. The fcag.exe process is experiencing a cpu race condition where it's stuck doing something. The previous episode lasted 15 hours on my test workstation before it finally stopped. I'm trying different combination of rules and tags and options, but i haven't found the correct one yet to isolate or at least give me a hint as to what is causing the problem. I don't think it's the discovery job, since I am using the default option to suspect discovery at 80% CPU, unless that option doesn't work!?!?

I'm checking the HDLP logs in C:\Documents and Settings\All Users\Application Data\McAfee\DLP\Temp but I honestly am not sure how to interpret them. Here's an excerpt from AgentLogicLogFile.log

[ODEBUG] (1116-1260) [File Tracker] [FileContentTransmittedEvent::startProcessEvent] FTra.DH#000821 start event handler file : c:\documents and settings\all users\application data\mcafee\common framework\current\masecore2000\mase_det.mcs

[ODEBUG] (1116-1260) [File Tracker] [FileContentEvent::calcMissingInformation] getMissingInformationForEvent

[ODEBUG] (1116-1260) [Text Extractor Service] [TextExtractorService::addFileParsingRequest] adding quable request

[ODEBUG] (1116-1260) [File Tracker] [FileContentTransmittedEvent::startProcessEvent] FTra.DH#000821 request text extraction filename(c:\documents and settings\all users\application data\mcafee\common framework\current\masecore2000\mase_det.mcs)

[ODEBUG] (1116-1260) [Cpp Framework] [OOPGEnvelope::unpackHeader] Unpacking the message, Agent Protocol Version 03000000, Envelope Version 03000000!

[ODEBUG] (1116-1260) [File Tracker] [FileContentEvent::textExtractionEnded] FTra.DH#000821 fail parsing file mase_det.mcs - error 4

egExSearcher::searchContent] finish processing (((0[0-9])|(1[0-2])|(2[1-9])|(3[0-2])|(6[1-9])|(7[0-2])|80)([0-9]{7}))- (559140)

[ODEBUG] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] finish processing ((3[4,7]\d{2})(-?|\040*)\d{6}(-?|\040*)\d{5})- (559140)

[OERROR] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] bad regular expression search ((?:(?<visa>4\d{3})|(?<mastercard>5[1-5]\d{2})|(?<discover>6011)|(?<dinersclub>(?:3[68]\d{2})|(?:30[0-5]\d))|(?<americanexpress>3[47]\d{2}))([ -]?)(?(dinersclub)(?:\d{6}\1\d{4})|(?(americanexpress)(?:\d{6}\1\d{5})|(?:\d{4}\1\d{4}\1\d{4}))))- ignore this one

[ODEBUG] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] finish processing (([30|36|38]{2})([0-9]{12}))- (559156)

[ODEBUG] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] finish processing (([51|52|53|54|55]{2})([0-9]{14}))- (559171)

[ODEBUG] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] finish processing ((\d{4}-){3}\d{4})- (559171)

[ODEBUG] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] finish processing ((4\d{3})(-?|\040*)(\d{4}(-?|\040*?)){3})- (559171)

[ODEBUG] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] finish processing ((4\d{3})(-?|\040*)(\d{5})(-?|\040*?)(\d{4}))- (559171)

Handler] [FileFilterHandler::onOpen] File already opened, just added to RunningProcessInfo

[ODEBUG] (1092-3060) [File Tracker] [RunningProcessInfo::addFileInfo] Adding the file(winvnc4.exe) to process (2760)

[ODEBUG] (1092-3060) [File Handler] [FileFilterHandler::onOpen] File already opened, just added to RunningProcessInfo

e] We don't have open info on this file (1758656)

Here's an excerpt from AgentTeLog.Log

[ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.RequestType.RequestFileText = 1

[ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.RequestType.RequestFileProtection = 0

[ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileFullName = c:\documents and settings\all users\application data\mcafee\common framework\catalog.z

[ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.ValidateFile = 1

[ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileSize = 4588

[ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileModificationDate = 1279040318

[ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.MountIndex = 1

ext Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.RequestID = 455

[ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.RequestType.RequestFileType = 0

[ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.RequestType.RequestFileText = 1

[ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.RequestType.RequestFileProtection = 0

[ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileFullName = c:\documents and settings\administrator\local settings\temp\000005bc\1036.mst

[ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.ValidateFile = 1

[ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileSize = 52736

[ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileModificationDate = 1270731818

[ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.MountIndex = 1

[ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.IsLocalDrive = 1

[ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.UserToken = 0

[ODEBUG] (636-2296) [Text Extractor Service] [TextExtractionMethod::onExecute] Processing file  c:\documents and settings\administrator\local settings\temp\000005bc\1036.mst

[ODEBUG] (636-2296) [Text Extractor Service] [TextExtractionMethod::onExecute] Start parsing file c:\documents and settings\administrator\local settings\temp\000005bc\1036.mst

leInfoExtraction.RequestType.RequestFileProtection = 0

[ODEBUG] (3800-3540) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileFullName = c:\program files\mcafee\siteadvisor enterprise\scripts\green.gif

[ODEBUG] (3800-3540) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.ValidateFile = 0

Anyone else experiencing this issue? Any ideas on which log may contain the best information on which handler may be causing the problem?

6 Replies

Re: fcag.exe is stuck at 99% CPU

Are you excluding all fcag processes from your antivirus and scanning tools?

Use procmon to see if DLP has some compatibility issue with any other application installed? Is it happening on only one system or many?

- Amiya

Re: fcag.exe is stuck at 99% CPU

It's happening on many systems, and I've done some basic exclusion work in VSE to prevent this, but I did not go the low/high process route yet. It's happening on multiple dev and test systems, and I've sent procmon caps to McAfee. I hope to get something from them this week.

I do see a lot of adobe print failure messages, but I don't have enough experience to determine if this is normal for the HDLP handler. 

Re: fcag.exe is stuck at 99% CPU

I went back and double checked my VSE exclusions, and I have turned on the separate scanning policies for High/Low. We'll force a policy update on all test/dev clients, and reboot.

Re: fcag.exe is stuck at 99% CPU

This should be fine with normal fcag exclusion. You did a good thing by sending procmon file to support.

Are you in development stage or production? You can turn off few handlers and turn on one-by-one to see actully if any specific rule causing the issue!

Thanks.

- Amiya

Re: fcag.exe is stuck at 99% CPU

We ran in sand boxed VM development environment, and now we're on a virtual test environment with a mix of virtual and physical workstations. I've got a lot of rules and handlers, since we're interested in each one, and yes, I've been removing configuration items slowly. I've got a lot of logs, but I'm not clear on how to interpret them.

I can't add more test clients until the root cause is identified.

Are you fluent with the logs? Can you review the ones above and see if they make sense?

Re: fcag.exe is stuck at 99% CPU

I have heard from Support, and the answer is both simple and surprising. My base rule and tag configuration is too broad, and it's causing the dlp agent to scan too many files too often for too many criteria.

To summarize, I configured the client to run at maximum detection, and it's bringing down my Dual Intel Core i7 ~ 2.93GHz test machine to it's knees.

So... perhaps I should have purchased the Network DLP product. It's clear to me that HDLP is a beast.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community