Impact of CFPMID on Linux Process Memory Management
    • 19 Jul 2024
    • 1 Minute to read
    • PDF

    Impact of CFPMID on Linux Process Memory Management

    • PDF

    Article summary

    The CFPMID plugin scans the memory pages of other processes on the customer’s Linux system, looking for signatures in memory that could indicate compromise. When an Operating System (OS) scans a process’s virtual memory, it might bring unnecessary pages into active memory, pages the process wouldn't typically require for execution. Even without swap space being enabled, memory-mapped files (such as the binary itself) are only loaded into resident memory when pages are accessed.

    For most systems, this does not produce a significant operational overhead; the plugin purposefully runs at a low priority and does not hold on to pages after scanning them. Because the pages read from memory-mapped files and are file-backed and unmodified, they should be eligible to be removed from resident memory when any memory pressure arises. Most binaries also have relatively small numbers of unused pages compared to their total resident memory in everyday use. Nevertheless, the inflated resident size could interfere with resource consumption monitoring and make things difficult for the operations management teams or automated scheduling, such as Kubernetes.

    To ensure optimal performance, users who encounter disruptions from this plugin can simply disable it.

    Plugin Behavior

    CFPMID can cause increased memory usage in user workloads. After installing the CFPMID plugin (which typically comes with the sensor), other programs may show a significant rise in resident memory compared to before. This rise can happen because the program might be sizable on a disk (like a Rust binary with debugging symbols still present). When CFPMID scans the program’s memory space, the operating system can load more of the binary into active memory, inflating the resident size closer to the entire binary size on a disk.

    Turn off plugin/s

    • Turn off the CFPMID plugin on one or more affected hosts. 

      • This process can be done individually via Red Canary’s Endpoint pages or company-wide via Red Canary for managing External Services.

      • Once it is confirmed that the CFPMID plugin has stopped running, restart the affected processes or wait for new instances to come online.

    • The diagnosis is confirmed once the memory footprint of the new process instance remains at the pre-CFPMID install level. 


    Was this article helpful?

    What's Next