Login
      Contents x
      Impact of CFPMID on Linux Process Memory Management
      • 19 Jul 2024
      • 1 Minute to read
      • PDF
      Contents

      Impact of CFPMID on Linux Process Memory Management

      • Updated on 19 Jul 2024
      • 1 Minute to read
      • PDF
      Article summary

      The CFPMID plugin scans the memory pages of other processes on the customer’s Linux system, looking for signatures in memory that could indicate compromise. When an Operating System (OS) scans a process’s virtual memory, it might bring unnecessary pages into active memory, pages the process wouldn't typically require for execution. Even without swap space being enabled, memory-mapped files (such as the binary itself) are only loaded into resident memory when pages are accessed.

      For most systems, this does not produce a significant operational overhead; the plugin purposefully runs at a low priority and does not hold on to pages after scanning them. Because the pages read from memory-mapped files and are file-backed and unmodified, they should be eligible to be removed from resident memory when any memory pressure arises. Most binaries also have relatively small numbers of unused pages compared to their total resident memory in everyday use. Nevertheless, the inflated resident size could interfere with resource consumption monitoring and make things difficult for the operations management teams or automated scheduling, such as Kubernetes.

      To ensure optimal performance, users who encounter disruptions from this plugin can simply disable it.

      Plugin Behavior

      CFPMID can cause increased memory usage in user workloads. After installing the CFPMID plugin (which typically comes with the sensor), other programs may show a significant rise in resident memory compared to before. This rise can happen because the program might be sizable on a disk (like a Rust binary with debugging symbols still present). When CFPMID scans the program’s memory space, the operating system can load more of the binary into active memory, inflating the resident size closer to the entire binary size on a disk.

      Turn off plugin/s

      • Turn off the CFPMID plugin on one or more affected hosts. 

        • This process can be done individually via Red Canary’s Endpoint pages or company-wide via Red Canary for managing External Services.

        • Once it is confirmed that the CFPMID plugin has stopped running, restart the affected processes or wait for new instances to come online.

      • The diagnosis is confirmed once the memory footprint of the new process instance remains at the pre-CFPMID install level. 

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout