Scenario:

During busy hours, the increase in memory usage may caused by the large number of files that need to be scanned by the flow-based antivirus.

Behavior:

• Cached and Shmem memory continues to grow:

diag hardware sysinfo memory

MemTotal: 8040256 kB
MemFree: 2177472 kB
Buffers: 6308 kB

Cached: XXXXXX kB

......

Shmem: YYYYYY kB

• FlowAV interface file open is much larger than FlowAV interface file close:

diagnose test application ipsmonitor 24

pid: 28619 from 20231013-15:17:26 to 20231013-16:13:13
av_failopen: enabled
FlowAV mmap : 0
FlowAV file open : 0
FlowAV timeout : 0
FlowAV req success : 20397
FlowAV req fail : 0
FlowAV req retry success : 0
FlowAV req retry fail : 0
FlowAV bypassed scan : 0
FlowAV buffer scan : 0
FlowAV file scan : 0
FlowAV interface file open : 23583
FlowAV interface file close : 22052
FlowAV ignored files : 0
FlowAV legacy scan : 20397
FlowAV default scan : 0
FlowAV buffer allocation fail : 0
FlowAV buffer reallocation : 19167
FlowAV buffer reallocation fail: 0
FlowAV queue count: 0 retry_count: 0

Solution:

The max percentage of the system memory flow based antivirus may be used for scanning.

config ips global

set av-mem-limit Enter an integer value from <10> to <50> or (special = <0>).

end

Flow-based antivirus will bypass the AV scan for currently buffering files.

config system global

set av-failopen pass

end