0patch generally consumes a negligible amount of CPU resources. In contrast to many other security products that intercept potentially malicious data and have to compare it to a huge number of "signatures" to detect malware (often having to decompress file archives in the process), 0patch only executes a small amount of code to apply a micropatch in-memory to a running process - and it does that just once when a vulnerable module is loaded.
Where 0patch may consume non-trivial amount of CPU resources is systems where a lot of processes are getting executed frequently, such as:
- Citrix and Terminal Servers, where each new user session creates dozens of new processes in parallel; or
- systems running applications that periodically and frequently spawn processes (usually in the background).
In these cases, 0patch Agent, which has to calculate cryptographic hashes of all newly-loaded executable modules in all these processes (at the same time) can cause CPU consumption to spike, sometimes for several seconds or more.
There is currently no workaround for this, but we're developing a solution to significantly reduce the need for this hash calculation and plan to include it in the next version of 0patch Agent.
In any case - for the time being - if you're planning to evaluate 0patch in your environment, you'll want to include Citrix and Terminal Servers in the evaluation process.
0 Comments