Investigating RiskVision performance

52064 | Diagnostics | TRITON RiskVision | 24-Sep-2015

Use the Diagnostics > Performance tab to find detailed information about RiskVision component and plugin performance. (A higher-level overview of RiskVision service performance is available on the System > Services tab of the Local Manager.)

The TCP Reassembly section at the top of the page provides information about the performance of the Assembler service, which is responsible for re-assembling IP flows. The table shows:

How many TCP Connections Assembler is currently maintaining, and what percentage of the total possible connections (40,000) the current number of connections represents

Memory Usage statistics for Assembler, including average and current memory use, total memory allocated, and the amount, date, and time of peak memory use since the service was last started

Below the TCP Reassembly section, tables show:

Information about how quickly the Capture service is processing packets, as well as the total number of bytes and packets processed

Details about how quickly the Assembler service is processing packets into TCP sessions

The table also repeats information about the total number of active and possible TCP connections, and shows the capture time of the most recent packet processed by the Assembler service.

Information about File Sandboxing Results, including the number of files sent, analyzed, and not analyzed (pending or abandoned)

For analyzed files, the table shows how many were found to be malicious, and how many were found to be suspicious.

Performance statistics for Transaction Processor and the plugins that it manages

See Transaction Processor for more information.

Transaction Processor

The Transaction Processor service is responsible for channeling sessions through the Local Analysis plugins on the RiskVision appliance. Local Analysis determines whether traffic exhibits malicious or suspicious behavior. Based on the results of this analysis, a session may be:

Discarded as innocuous

Recorded as an incident in the Incident and Reporting Database with no further processing

Recorded as an incident and passed to the Plugin Manager for additional analysis (for example, file sandboxing) or processing (for example, forwarding incident log files a SIEM product)

Many of the Transaction Processor and plugin statistics on the Diagnostics > Performance tab provide information that is primarily useful to Websense Technical Support and Engineering personnel. Some of the information may be helpful to administrators, however, in determining whether the system is functioning as expected.

The summary table at the top of the Transaction Processor section shows how quickly the Transaction Processor service is processing data, as well as the total number of bytes and transactions processed since the last service restart.

Under Plugins, tables provide information about:

How many Label Rules, used for determining how a transaction is analyzed, have been checked and matched

Whether the YARA Plugin is compiling and matching YARA rules

Whether the CloudApps Plugin is using the latest catalog and finding matches in analyzed incidents

How many lookups the URL/User Lookup Plugin is performing, and whether it can read from the URL database

How many transactions the Content Analytics Plugin is analyzing

How many transactions qualify for analysis by the Data Analysis Plugin, and how many total violations have been found

How many incidents have been flagged by the Sandboxing Incident Logger for further analysis by the File Sandboxing service.

The Detected File Types that can be identified by RiskVision analytics, and how many of each type have been seen