When Application Control is enabled in IWSVA 6.5, this causes the network to slow down.
The appd process used by Application Control analyzes a packet data through IWSVA and then uses it for reports and logs.
Appd checks the packet data before the virus scan or the URL filtering HTTP service. This means that when appd is enabled, IWSVA takes more time than when it is disabled. Therefore, Trend Micro recommends to stop the appd process or (only if it is not needed by the company policies) to disable application control.
When appd is disabled:
- Application Control Policy does not perform Allow or Block actions.
The following data will not appear on the web console.
- System Status > Concurrent Connection > Application Connections
- System Status > Bandwidth Control - Downstream
- System Status > Bandwidth Control - Upstream
- Dashboard > Application Bandwidth
- Dashboard > The Blocked Applications
- Dashboard > The Allowed Applications
- Dashboard > Top Policy Enforcement - Application Control
- Log > Log Analysis > Application bandwidth
- Reports > Internet Access > Top N Applications Visited
- Reports > Bandwidth > Top N Application by Bandwidth
- Reports > Bandwidth > Top N Users by Bandwidth
- Reports > Bandwidth > Top N Groups by Bandwidth
- Reports > Policy Enforcement > Top N Applications Blocked
- Reports > Policy Enforcement > Most Violation for Application Control Policy
There are two ways to resolve the issue:
By stopping the whole application control:
This method stops the whole application control.
- Log in to the IWSVA WebUI.
- Go to Application Control > Policies.
- Uncheck Enabled Application Control.
- Go to the Bandwidth Control > Policies.
- Uncheck Enabled Bandwidth Control.
By stopping only the appd daemon:
This method only stops the appd process. The Application Control policy still works even if appd is disabled.This requires IWSVA 6.5 SP2 Patch 1 (build 1707) or later.
Create a backup copy of intscan.ini.
# cp -ip /etc/iscan/intscan.ini /etc/iscan/intscan.ini.bak
# vi /etc/iscan/intscan.ini
Change enable_appd_daemon key under [app-control] section from "yes" to "no".
------------------------ [app-control] enable_appd_daemon=no ------------------------
- Save intscan.ini.
Restart the appd daemon.
# /etc/iscan/S99ISappd restart