Issue Description

Customer is testing on Endpoint Secure detection.While testing on multiple endpoints, customer discovered that one of the endpoint unable to detect the file as malicious meanwhile another endpoint able to detect the file as malicious.

Handling Process

1. Check the database version of both of the agent, it is consistent.
   

2. Check the Security Protection configurations, both agent are in the same group.
   
   Note:
   a) If the agents are in different groups, check whether the configurations are different.

3. Export the scan result for the endpoint that able to detect the malicious file normally, found that it is using "Gene Analysis Engine"
   

4. Check on sfavsvc logs, found that the Gene Engine unable to load due to insufficient memory available on the endpoint.
   C:\Program Files\SF\EDR\agent\var\logs\sfavsvc.exe
   

5. The affected endpoint is having high memory consumption.
   

6. After terminating a few applications to reduce the memory consumption, the agent able to detect the malicious file normally since the Gene Engine able to run normally.

Root Cause

If the available memory is less than 800M, the Gene Engine will not be loaded.

Solution

This is the current design of Endpoint Secure agent detection mechanism, certain modules are not able to run properly due to the poor performance on the endpoint.

Suggestions

1. Reduce the memory utilization on the endpoint.

2. Increase the available memory on the endpoint.