Skip to main content
uberAgent

uberAgent 7 Preview: EDR & Antivirus Performance Monitoring

  • by Helge Klein
  • June 20, 2022

While we’re finalizing version 7.0 of our user experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at another cool new feature: protected process performance monitoring (applies to EDR, antivirus, and other types of security products).

What Are Protected Processes?

Endpoint security products need to protect themselves from tampering and deactivation by malware. One of the techniques to help with such protection is built into the Windows OS: protected processes light (PPL).

The PPL model represents a security boundary. When a vendor chooses to run its security agent as a protected process light, other user-mode processes cannot modify or terminate the agent any more – this includes elevated processes and processes running as SYSTEM (access right details).

Pros & Cons of Protected Processes Light (PPL)

Pros

  • Security hardening.

Cons

When a security product makes use of the PPL security model, some operations become more difficult, e.g.:

  • Administrators cannot stop or restart the product’s system services.
  • Monitoring software cannot query the OS for CPU or RAM performance metrics of the product’s processes.

Process Protection Levels

A process’ protection level is stored in the Protection member of the EPROCESS kernel structure. The Protection member is a PS_PROTECTION structure containing the following three components (docs):

  • Type
  • Audit (unused)
  • Signer

Type can be one of the following:

  • PsProtectedTypeNone: the process is not protected.
  • PsProtectedTypeProtectedLight: the process is a protected process light (PPL).
  • PsProtectedTypeProtected: the process is a protected process.

The actual protection level is a combination of Type and Signer. The following table lists the valid protection levels from high to low power:

Protection level Type Signer
PsProtectedSignerWinSystem Protected WinSystem
PsProtectedSignerWinTcb Protected WinTcb
PsProtectedSignerWinTcb-Light Protected light WinTcb
PsProtectedSignerWindows Protected Windows
PsProtectedSignerWindows-Light Protected light Windows
PsProtectedSignerLsa-Light Protected light LSA
PsProtectedSignerAntimalware-Light Protected light Antimalware
PsProtectedSignerAuthenticode Protected Authenticode
PsProtectedSignerAuthenticode-Light Protected light Authenticode
PsProtectedSignerNone None None

How to Monitor the CPU & RAM Performance of Protected Processes?

The Windows security model does not allow regular user-mode monitoring products to query the CPU or RAM usage of a protected process. Only processes with equal or higher protection level can access protected processes, even if it’s only to collect performance data. There are two ways to solve this:

  1. Configure the monitoring product to run as a protected process itself, at a protection level that is higher than the processes it needs to monitor. This is impractical given that some OS processes like wininit.exe or lsass.exe run at very high protection levels (PsProtectedSignerWinTcb-Light and PsProtectedSignerLsa-Light, respectively).
  2. Collect process performance data from a kernel-mode driver. This is exactly what uberAgent 7.0 does and which enables it to collect performance metrics for all processes independent of their protection level.

Example: Windows Defender CPU & RAM Performance

The following screenshots demonstrate uberAgent’s new capability to monitor the performance of security agents and antivirus products. We’re using Windows Defender as an example. Typical for antivirus products, Defender’s main process MsMpEng.exe has the following protection properties:

  • Type: Protected light
  • Signer: Antimalware
  • Protection level: PsProtectedSignerAntimalware-Light

Please note that the screenshots were taken in a lab environment and show average values of multiple endpoints.

Windows Defender CPU & RAM Usage Over Time

As you can see in the screenshot below, the baseline RAM usage is approximately 200 MB. Interestingly, the RAM usage increases significantly to almost 600 MB over a period of several hours once per day. These increases do not coincide with CPU spikes (blue line).

Windows Defender CPU Usage per Process

The average CPU usage of Windows Defender is very low. The most active process is MsMpEng.exe. All Defender processes combined generate an average CPU load of less than 0.2%.

Windows Defender RAM Usage per Process

The average RAM usage of Windows Defender is a little more than 300 MB. Again, the most active process is MsMpEng.exe.

Windows Defender CPU & Disk IO per Process

As with CPU and RAM usage, MsMpEng.exe generates most of the disk IO. The value of 36,712 in the screenshot below was measured over a period of three full days. Disk operations per second (IOPS) are, therefore, low.

Windows Defender Network Connections

Defender talks to multiple hosts in the Azure Cloud. Actual hostnames and IP addresses will vary between geographic regions.

Resources

About uberAgent

uberAgent is an innovative Windows and macOS user experience monitoring (UXM) and endpoint security analytics (ESA) product.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated activity monitoring engine, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative user experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Comments

Your email address will not be published. Required fields are marked *