Endpoint Protection

If you have Network Threat Protection (NTP) installed and enabled, do you just have to accept the fact that client network throughput will slow down?

I'm doing some testing with having NTP enabled or disabled.  One test is running a WMI query of the list of software installed on a client.  With NTP disabled, the list takes 3 seconds to populate.  With NTP enabled, the list takes 10 seconds to populate.

I have the Firewall policy disabled.  I also tried enabling the Firewall policy with a blank rule to allow all.  Only disabling NTP, or uninstalling it, solves the issue with the slow throughput.

This is SEP 11.0.5002.333.  Is the slowness just the result of NTP and that's the way it is?

Thanks.

SEP firewall installs Teefer2 driver in your NIC Card driver..So that it can sniff all the packets coming in and going out of your Network regards of firewall rule it also checks it for IPS

Hi Thromada,

Security always comes at a price.  In computer security, there is always a performce hit due to scanning by AV or the extra processing that is required by a firewall. 

I'm surprised that the extra delay in your case is seven seconds, even with the NTP policy withdrawn.  Do you have another firewall enabled at the same time, perhaps the Windows Firewall that comes with XP/Vista/Win7?  Is it only with this WMI query or is that performance hit present regardless of what you are doing from that client?

Thanks and best regards,

Mick

NTP acts as traffic filter. So with NTP enabled you are bound to expreince a bit of delay but this is marginal.

And it can be ignored for the kind of work it does.

 The Symantec Endpoint Protection client firewall provides a barrier between the computer and the outside network. The client firewall prevents unauthorized users from accessing the computers and the networks that connect to the Internet, detects possible hacker attacks, protects personal information, and eliminates unwanted sources of network traffic. The firewall also protects against network threats and malware that attempt to proliferate in your network, such as bots. All the information that enters or leaves the client computer must pass through the client firewall, which examines the information packets. The client firewall blocks packets that do not meet the specified security criteria.

Title: 'Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper'
Document ID: 2007121714495348
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2007121714495348?Open&seg=ent

This is the first client testing with NTP.  The other test clients have only AV, AntiSpyware, and Proactive Threat Protection.  So far the user has not said anything about slowdowns.  However, in addition to the slow remote WMI query installed products, I did some basic file copying from my computer to the test client.  We are both on the same subnet and bandwidth.  Copying 1,289 files (89MB):

NTP enabled: average = 2min 40sec
NTP disabled: average = 0min 20sec

Like I said, this is the first test client.  But if these stats hold true for other clients, this won't be acceptable.  Is anybody else experiencing something similar?

Even with an allow ANY ANY rule in the firewall the traffic is still passed through from the network stack level.
There are also a large number of hidden fire wall rules in place regardless of the the settings you have created.

Then you have IPS and AV scanning taking place as well so there is quite a lot of overhead.

Z

Hi Thromada,

An extra 2 minutes and 20 seconds to copy 89 MB seems very slow.  Are these virtual machines or physical computers?  What OS'es are involved? 

There are some changes/improvements coming in SEP 11 RU6 which should offer some improvement, and many additional changes coming for next year's big release.  I recommend performing your tests with SEP 11 RU6 and seeing if the same delay can be reproduced on additional test computers.

Thanks and best regards,

Mick

At this point I’m not sure what was happening yesterday – my first day of testing with NTP enabled.  I agree Mick2009 that is VERY slow.  I think it has to do with copying from my Windows 7 x64 client for some reason.  Today I did some more file-copy timing-tests; and the results are acceptable – nearly the same times with NTP enabled or disabled (between 30 and 45 seconds for the clients and subnet I was testing).

This drastic of a slowdown seems strange to me too. I am going to run some test with my Win 7 (x64) test machine to see if I am seeing the same slowdowns. I will report back tomorrow.

Cheers
Grant

Good news - the most recent information that I have seen indicates that SEP 11 RU6 should be released to FileConnect on the 14th of April!  You should be able to download a copy within 24 hours.

Thanks and best regards

Mick

Just a note that SEP 11 RU6 is now available via fileconnect.  All SEP 11 customers are encouraged to upgrade to RU6 to take advantage of its many improvements and enhancements. 

Thanks and best regards,

Mick

I too have BIG slowdown when i deploy clients with Network Threat Protection.
I have gigabit LAN, and without NTP i get 50 mb/sec,  with - 18 mb/sec.

Is this normal?

I had the same issue on RU5 running some remote commands like REMUNZIP.
Disabling NTP/IPS or bypassing it using rules had no effect, only when we remove NTP completely the delay is gone.

But after installing RU6 the issue is gone !

Looks like Symantec really fixed the issue with this release .

Many thanks !

Hi FbacchinZF, can you do a similar file copy test and post the results?  The issue remains for me even with RU6, sort of.  Can anybody help explain this file copy behavior: I copy files to a client hard drive on the same subnet with NTP enabled, I time it at 1min 44sec.  I delete the files, disable NTP and copy the files again and time it at 31sec.  I delete the files, re-enable NTP and copy the files again and time it at 31sec again.  Is Windows caching the files somehow - why is the second file copy with NTP enabled faster than the first time?  There's no mistaking that the first file copy took longer than the subsequent file copy.  Of course this cannnot mean that every operation has to be done twice so that the second time is faster!

I'm still in testing so I was able to completely uninstall RU5 and install RU6 on the server and clients.  To test the throughput I again did a file copy test; and it still results in slowness when copying files.  I'm happen to be copying 1,289 items with a size of 89MB from one client hard drive to another on the same subnet.  With NTP enabled it took 1min 44sec.  With NTP disabled it took 31sec.

From my case, I had no problems when using copy or xcopy commands, the performance was OK with SEP11 or without it.
My problem was when using some specific commands like Remunzip.

Here are the results of my tests :

SEP11 release	NTP installed	REMUNZIP start	REMUNZIP end	DELAY
MR5	yes	14:41:54,77	14:43:31,92	00:01:37,137
MR5	no	14:38:55,57	14:39:03,88	00:00:08,08
MR6	yes	15:16:31,15	15:16:37,08	00:00:06,06

Thanks FbacchinZF.  Looks like however, that I'm not alone in observing a throughput slowdown: https://www-secure.symantec.com/connect/forums/dramatic-lan-speed-change-after-installing-endpoint-protection-11

I'm also experiencing slow network performance on RU6.  Now i do understanding that i would see some impact with NTP enabled, but not as much as what I'm recording.  I setup 2 Windows XP Pro VM machines.  Copied a 500MB file from a network location to the VM machines.  I then uninstalled NTP on one of the machines, and disabled Bloodhound detection on the other one (a possible solution from another thread) and copied a different 500MB file.  Results below

	NTP Installed	NTP Uninstalled	Bloodhound Disabled
Test Machine 1	50.2 seconds		45 seconds
Test Machines 2	46.2 seconds	23.9 seconds

Now thats a BIG difference with NTP uninstalled.  We use NTP so monitor and block removable USB media.  Its now getting to the stage where i will have to look for another product to do this and leave SEP just for AV