I've installed the eval. version (2.0.1) of the HIDS on a w2k server running on IIS, it is now on protecting-mode. When users logon to the server, it takes over a minute for the login to finish, also noticed pages take longer to display. Not sure if these were caused by the IDS or not...any help would be highly appreciated!
See if the agent is running in debug mode by going into the Program Files\Cisco IDS\Agent directory and double clicking the config.exe. There is a checkbox on the dialog that indicates if it is in debug mode. It should not be run in debug mode.
Does the performance improve when you deactivate the agent? Is the console also installed on this box?
The agent is not running in debug mode. Once I deactivate the agent, everything works fine. The console is installed on a different box. Thanks!
Is the performance OK when the agent is activated, but only in Warning mode?
Are they running on a host with adequate CPU? It should be at least a PIII, 400
The performance is the same, either in Warning or Protecting mode. This agent is installed on a dual 933 MHz processor with 1G or RAM.
A few more questions, but no answers - yet. What version of IIS are you running? Are you running Mcafee Netshield or Netops? What is the CPU utilization (according to the Task Manager) when the slowdown occurs?
I've seen the same problem with another HIDS customer. AFIK there are no compatibility issues, but I'm trying to isolate the problem.
We are running IIS 5, no Mcafee Netshield or Netops, just Norton AntiVirus CE 7.5. Not sure what the CPU utilization is because the agent has already been uninstalled due to complaints and stuff. But we have already purchased some licenses and I can't move on with this project until this issue is resolved.
Im sorry youve had to uninstall the agent. Did this fix the problem?
Do you know if the agent was running in debug mode. When the Agent is running in Debug Mode, the Agent continually writes to the file CSlog.txt. This process can adversely affect processor performance. You should only run the Agent in Debug Mode if you are troubleshooting the Agent for a specific reason. You can run the config.exe located in the Agent directory and confirm the check box is cleared for "Enable Debugging."
Is it possible for you to re-install the agent on the affected system?
If so, ensure that the debugging is disabled.
If you continue to have problems, can you run Windows Task Manager (CTL-ALT-DEL and select Task Manager). From Task Manager can you get the CPU and memory utilization. Next, can you select the Processes tab? From the Processes window, sort the processes by CPU utilization and take note of the processes that are hogging the CPU. Finally, can you temporarily disable Norton Anti-virus to see if this alleviates the problem? I dont know of any issues with Norton Anti-virus Im just troubleshooting.
It you continue to have problems you can de-activate the agent without uninstalling it. You can do this by changing the agents state to the off-warning state from the console. This essentially unloads the agent. Did this alleviate the problem?
Please let me know what you find. I can escalate the problem to the developers if needed.
After uninstalling the agent, the server is running fine. The agent was not running in debug mode. I'm in the process of reinstalling the agent but am running into problems. When I tried to reinstall, the installation hung, so I rebooted the server. When I went to Add/Remove Programs, I found that Cisco HIDS Agent appeared in the window, so I tried to uninstall it, but it won't let me, saying: "The log file 'C:\Program Files\Cisco IDS\Agent\Uninst.isu' is not valid or the data has been corrupted. Uninstallation will not continue." I attempted to run the installation again but it hang also. I know this has to do with not stopping the IIS service first before the uninstallation (leaving some dlls behind). What should I do now to manually uninstall the corrupted agent? Thanks!
Uninstallation of the Cisco Agent (Web or Standard) does not completely remove all components. Manual remove of the components will be require if a re-install is needed. The following components should be removed to complete the uninstall: Registry Entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\entercept Agent Directory: C:\Program Files\Cisco IDS\Agent
The problem here is that I can't run the uninstallation because the last installation wasn't complete. Okay...I removed the registry entry but can't delete the agent directory (IsapiStud.dll access denied). Well, I tried to run the installation again...same result (froze). fyi...this server is sitting on the DMZ, I have opened up port 5000 between this server and the console, but when I checked the log I noticed that this server is trying to access the console on udp port 137 (netbio?)...why is it doing this? HELP!!!
Is this a licensed version or an evaluation version? If this is a licensed version, I suggest that you contact Cisco TAC, http://www.cisco.com/public/support/tac/contact.shtml, to help you resolve this problem.
Otherwise, here are a few steps that you can take to try to resolve the problem. Since it sounds like the Agent is now in an inconsistent installation state, I'm not sure how well the steps will work. Delete only "AgentNT.exe" in the Agent's directory. Reboot. Go to Window's Add/Remove programs and remove the Cisco HIDS Agent. Now complete removal by removing the Agent's resgistry setting and the Agent's directory. Hopefully some combination of the above steps will resolve the problem.