6 Replies Latest reply on Jul 15, 2010 7:53 AM by BionicSecurityEngineer

    fcag.exe is stuck at 99% CPU

      I'm new to HDLP and we're running into a problem. The fcag.exe process is experiencing a cpu race condition where it's stuck doing something. The previous episode lasted 15 hours on my test workstation before it finally stopped. I'm trying different combination of rules and tags and options, but i haven't found the correct one yet to isolate or at least give me a hint as to what is causing the problem. I don't think it's the discovery job, since I am using the default option to suspect discovery at 80% CPU, unless that option doesn't work!?!?

       

      I'm checking the HDLP logs in C:\Documents and Settings\All Users\Application Data\McAfee\DLP\Temp but I honestly am not sure how to interpret them. Here's an excerpt from AgentLogicLogFile.log

       

      [ODEBUG] (1116-1260) [File Tracker] [FileContentTransmittedEvent::startProcessEvent] FTra.DH#000821 start event handler file : c:\documents and settings\all users\application data\mcafee\common framework\current\masecore2000\mase_det.mcs

      [ODEBUG] (1116-1260) [File Tracker] [FileContentEvent::calcMissingInformation] getMissingInformationForEvent

      [ODEBUG] (1116-1260) [Text Extractor Service] [TextExtractorService::addFileParsingRequest] adding quable request

      [ODEBUG] (1116-1260) [File Tracker] [FileContentTransmittedEvent::startProcessEvent] FTra.DH#000821 request text extraction filename(c:\documents and settings\all users\application data\mcafee\common framework\current\masecore2000\mase_det.mcs)

      [ODEBUG] (1116-1260) [Cpp Framework] [OOPGEnvelope::unpackHeader] Unpacking the message, Agent Protocol Version 03000000, Envelope Version 03000000!

      [ODEBUG] (1116-1260) [File Tracker] [FileContentEvent::textExtractionEnded] FTra.DH#000821 fail parsing file mase_det.mcs - error 4

      egExSearcher::searchContent] finish processing (((0[0-9])|(1[0-2])|(2[1-9])|(3[0-2])|(6[1-9])|(7[0-2])|80)([0-9]{7}))- (559140)

      [ODEBUG] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] finish processing ((3[4,7]\d{2})(-?|\040*)\d{6}(-?|\040*)\d{5})- (559140)

      [OERROR] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] bad regular expression search ((?:(?<visa>4\d{3})|(?<mastercard>5[1-5]\d{2})|(?<discover>6011)|(?<dinersclub> (?:3[68]\d{2})|(?:30[0-5]\d))|(?<americanexpress>3[47]\d{2}))([ -]?)(?(dinersclub)(?:\d{6}\1\d{4})|(?(americanexpress)(?:\d{6}\1\d{5})|(?:\d{4} \1\d{4}\1\d{4}))))- ignore this one

      [ODEBUG] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] finish processing (([30|36|38]{2})([0-9]{12}))- (559156)

      [ODEBUG] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] finish processing (([51|52|53|54|55]{2})([0-9]{14}))- (559171)

      [ODEBUG] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] finish processing ((\d{4}-){3}\d{4})- (559171)

      [ODEBUG] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] finish processing ((4\d{3})(-?|\040*)(\d{4}(-?|\040*?)){3})- (559171)

      [ODEBUG] (1116-3428) [Tagging Service] [RegExSearcher::searchContent] finish processing ((4\d{3})(-?|\040*)(\d{5})(-?|\040*?)(\d{4}))- (559171)

      Handler] [FileFilterHandler::onOpen] File already opened, just added to RunningProcessInfo

      [ODEBUG] (1092-3060) [File Tracker] [RunningProcessInfo::addFileInfo] Adding the file(winvnc4.exe) to process (2760)

      [ODEBUG] (1092-3060) [File Handler] [FileFilterHandler::onOpen] File already opened, just added to RunningProcessInfo

      e] We don't have open info on this file (1758656)

       

      Here's an excerpt from AgentTeLog.Log

      [ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.RequestType.RequestFileText = 1

      [ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.RequestType.RequestFileProtection = 0

      [ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileFullName = c:\documents and settings\all users\application data\mcafee\common framework\catalog.z

      [ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.ValidateFile = 1

      [ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileSize = 4588

      [ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileModificationDate = 1279040318

      [ODEBUG] (4056-4072) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.MountIndex = 1

      ext Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.RequestID = 455

      [ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.RequestType.RequestFileType = 0

      [ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.RequestType.RequestFileText = 1

      [ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.RequestType.RequestFileProtection = 0

      [ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileFullName = c:\documents and settings\administrator\local settings\temp\000005bc\1036.mst

      [ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.ValidateFile = 1

      [ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileSize = 52736

      [ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileModificationDate = 1270731818

      [ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.MountIndex = 1

      [ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.IsLocalDrive = 1

      [ODEBUG] (636-3524) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.UserToken = 0

      [ODEBUG] (636-2296) [Text Extractor Service] [TextExtractionMethod::onExecute] Processing file  c:\documents and settings\administrator\local settings\temp\000005bc\1036.mst

      [ODEBUG] (636-2296) [Text Extractor Service] [TextExtractionMethod::onExecute] Start parsing file c:\documents and settings\administrator\local settings\temp\000005bc\1036.mst

      leInfoExtraction.RequestType.RequestFileProtection = 0

      [ODEBUG] (3800-3540) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.FileFullName = c:\program files\mcafee\siteadvisor enterprise\scripts\green.gif

      [ODEBUG] (3800-3540) [Text Extractor Service] [TextExtractor::onCommunicationRecieved] RequestFileInfoExtraction.ValidateFile = 0

      Anyone else experiencing this issue? Any ideas on which log may contain the best information on which handler may be causing the problem?