Endpoint Protection

I have a number of Server 2012 std VM instances installed on an ESX 5.1 host(1 Socket Intel Xeon E3-1220). I installed SEPM 12.1.2 (RU2) on a Server 2012 VM with 2GB RAM and 1 core 3.1Ghz. I deployed the SEP client to my Remote Desktop Server (4GB RAM and 2 Cores 3.1Ghz), Domain Controller (1Core 3.1Ghz and 1GB RAM) and then the SEPM server itself. The SEPM server became unresponsive and had to be cold reset. The Domain Controller and Remote Desktop server performance was significantly reduced although the resource monitor indicated that CPU and Memory were in decent shape. RAM was 70% on the DC and about 40% on the RDS. CPU on both machines were sub 15%. Which is higher than normal , but i think still okay. These Servers are all accessed through remote desktop on the local network. Firstly initiating the connections took much longer than normal , Applications crashed and were not responding on the RDS. Eventually the RDS server became unresponsive and had to be cold reset.

Am I missing something here ?

Make sure you only install the AV component to start.

What components do you currently have on it?

I have a 2012 box with only AV, been running fine thus far.

1. There are other forum posts complaining about SEP 12 slowing things down. Have you looked at those?
2. What about shared Insight Cache? Have you looked at using that to reduce the load on your servers?
3. Have you considered loading a virtual appliance on your ESX host instead?

The Client was not configured prior to deployment , therefore the default settings were deployed i.e. full scan etc. , no policy settings.

The client was deployed to the DC and RDS and then removed and cleanwipe run after the client was removed. The DC and RDS are performing substandard to say the least. Vm's take long to boot and shutdown. Remote Desktop takes long to inititate. Server Manager and Internet Explorer for example are taking long to load, RemoteApp even on local network is taking long initiate and often with errors. The UI is slow and jerky on both servers via remote desktop and via the console in vSphere client.

I have not looked at insight cache and virtual appliance deployment. We have a single vsphere host.

I am in process of migrating the affected servers to a new VM.

Your thoughts are appreciated.

Hi,

Do you have the same problems with 2008 R2?

I have on another site SEP 12.1 on 2008 R2 (SEP version prior to 12.1.2). I noticed the network indicator says not connected on the taskbar , however the connection is active. I believe that is caused by SEP client other than that the performance seems normal i guess. I will run a test on 12.1.2 with 2008 R2 and 2012 on test VM and post findings a bit later.

The RAM on those systems seem well undersized.  SEP is no resource easy product...

RAM is small , but consider less than 5 users on this site. Consider that Mem utilization on DC with 1GB vRam was approx 70-80% with sep client installed in idle sep state. The symptoms still occur after sep client was removed and clean wiped. I have since created an identical second DC , did not install sep, works perfectly , symptoms are not there. I have also tried increasing RAM to 2GB on DC1 however symptoms still occur. Again the sep client has been removed completely from this DC.

I dont have a way to benchmark this but I think its the firewall causing the performance issue. I followed the symantec best practices for Virtual environment guide.Created a new group for Virtual Machines only. Did not setup Insight Cache or Security Virtual Appliance. Therefore used Active scan in policy as per the guide.

I then created a Firewall rule to allow all traffic for all ports for all IP's on my network. Suddenly performance seems normal. This is purely a qualitative finding, I have not performed any benchmarks.

Is there a guide for Firewall best practices for the Virtual Environment with particular reference to vSphere 5.1? I think some blocked-ports causing the issue.

@Brian81 , you mentioned to install AV component only. Can you elaborate on reason why you installed only AV component ?

You also mentioned installing on 2012 "box" did you deploy to VM or baremetal ?

I found the performance thief. I must apologise , SEP and SEPM had absolutely nothing to do with the loss of performance.

Performance dropped due to modification of power settings on the ESXI host and Windows. The ESXI host was set to Balanced power profile and each VM was also set to Balanced Power Profile in the control panel. After changing the settings to high power on vsphere client and on each VM in the Windows control panel , performance was 100% back to normal with the SEPM running on a VM , no insight cache or security appliance configured. Followed best practice for SEP client configuration and only installed the AV component on each VM , everything looks good and business as usual.