Canadian Agency AssemblyLine Performance Troubleshooting

About AssemblyLine Performance Troubleshooting

AssemblyLine performance troubleshooting: You will need to tweak performance in AssemblyLine if you have lower resources than the recommended. This could result in Service Errors during submission analysis because of docker instances failing because of limited resources. In addition, you can just disable services that you do not need to speed up analysis.

Affiliate: Experience limitless no-code automation, streamline your workflows, and effortlessly transfer data between apps with Make.com.

AssemblyLine Performance Troubleshooting – Submitting file for Analysis

Left panel => [Submit] => [File] => Drag and drop => [Upload and Scan]

You can use Total Commander setup file as example. It includes around 700 files inside, which is a good performance test for AssemblyLine.

Checking Performance

Left Panel => [Dashboard]

Check the “System Resource” widget. If the memory gets around 75% and CPU is around 20% it is better to optimize services.

AssemblyLine Performance Troubleshooting – Lowering resource consumption

Right Top corner => [User Icon] => [Services]
    Click each service
        [GENERAL]
            Max Number of Instances: 1
            [SAVE CHANGES]

Recheck performance with the new settings

. Resubmit the file analysis
. Check the performance again
. See what Services have the most performance usage and are the slowest to complete.

Tweaking resources consumption

. Return to [Service] configuration again.
. Click the process you want to tweak:

    [GENERAL]
        Max Number of Instances
        *** You can increase this number so there will be more instances opened and files will balance between them.
        [SAVE CHANGES]
    [CONTAINER]
        Click the box under "Container Image"
            Allowed CPU cores
            *** You may increase the number of cores per instance, the processing may go faster.
            Allowed memory range
            *** You may increase the maximum memory value
            [SAVE]
        [SAVE CHANGES]

. Resubmit the file and check the Dashboards analyze the performance after tweaking.

Checking AssemblyLine Performance over SSH

You may check the performance of the docker instances on the server itself. Connect with SSH:

ssh user@serverIPorDOMAIN

Execute the docker status command:

sudo docker stats

This command will show you the performance and resource usage of each instance. By default, it shows these fields:

NAME, CPU %, MEM USAGE / LIMIT, MEM %, NET I/O, BLOCK I/O, PIDS

You can show only specific fields from the above. Command to show all the fields:

sudo docker stats --format "table {{.ID}}\t{{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.MemPerc}}\t{{.NetIO}}\t{{.BlockIO}}\t{{.PIDs}}"

We used the next fields more than the others:

sudo docker stats --format "table {{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.MemPerc}}"

To run stats on specific instance:

sudo docker stats al_DeobfuScripter_0

AssemblyLine Performance Troubleshooting – Thoughts and Tips

Our environment is 32 GB Memory and 32 CPU Cores. Meaning, we need to tweak AssemblyLine accordingly.
Pixaxe – Disabled the service. The CPU usage of each instance with 20 cores was on 100% for several hours without any result. Possible problem with a service, a bug or anything. Will wait for update to see if it performs better.
Floss – Needs more CPU than default settings, instances can close unexpectedly:

    Max number of instances: 4
    Allowed CPU cores: 10
    Allowed memory usage MAX: 768

YARA – Works fine with default settings, can perform faster with:

    Max number of instances: 2
    Allowed CPU cores: 4
    Allowed memory usage MAX: 768

FrankenStrings – Works fine with default settings, can perform better:

    Max number of instances: 4
    Allowed CPU cores: 10
    Allowed memory usage MAX: 512

Cukoo – If you have numerous files, you will need numerous instances to send as much files as you can to the sandbox and probably you will not need 2000 MB per instance because all the computing is done in Cukoo itself:

    Max number of instances: 10
    Allowed CPU cores: 0.5
    Allowed memory usage MAX: 1024

AssemblyLine Google Groups for Troubleshooting

Finally, you can follow the AssemblyLine Google Groups page to post your questions and check if there is already a solution for your query.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.