4 Replies Latest reply on Sep 22, 2017 8:14 AM by v.kubasek

    ENS Exploite Prevention (Slow Backup App)

    v.kubasek

      Hi guys, I have a little problem with Exploite function in ENS.

      When is this function turned it on client computer and when the backup application (avamar EMC) is running very slow (time around 2Hours). So when is the function turned off the backup application is running well (time around 5minutes). I Tried lot of exclusion types for example avamar services, folder. path and etc. and no change.

      Do you have any idea where can be a problem?

      Thank you

       

      Exploit_1.PNGExploit_2.PNG

        • 1. Re: ENS Exploite Prevention (Slow Backup App)
          woody188

          I've found it best to wildcard the executable path or use the MD5 hash. This is just an example, your executable will be named differently.

           

          **\AVTAR.EXE

           

          I also found it necessary to disable Exploit Prevention on some systems via a separate policy.

          • 2. Re: ENS Exploite Prevention (Slow Backup App)

            Seems odd.  You're speaking of ExP here.

            Usually adding an exclusion there is because you're getting Exploit Prevention signature threat events.

            Can you clarify that you DID NOT also inadvertently add that process to the Application Protection Rules list as a monitored process?

            • 3. Re: ENS Exploite Prevention (Slow Backup App)
              rmetzger

              Hi v.kubasek,

               

              I'm not sure of this backup application 'avamar EMC,' but most backup applications have a Virus Scan/check function (fairly generic, not necessarily specific to any AV product) which invokes a read scan on each file backed up. Is it possible this is causing your performance issue? Check this backup software settings and see if you can disable the AV check functions and report back any differences in performance.

               

              It has been my experience that McAfee Enterprise AV solutions do not need this extra scan from the backup software, as the default/recommended configuration does a scan on read. Adding another scan instituted by the backup software is redundant and sometimes causes deadlocks, which in turn cause severe delays within the backup software.

               

              I'm not sure if Exploit Prevention is detecting the deadlock as a possible exploit and until the deadlock is released (and not considered an exploit), the backup software has to wait. It may be worth a try, changing the backup software settings as a test.

               

              If the performance does improve without 'Exclusions' this would be a preferred approach.

               

              Let us know your results.

              Ron Metzger

              • 4. Re: ENS Exploite Prevention (Slow Backup App)
                v.kubasek

                Hi, this issue is finaly resolved. Solution for this bug is ENS Threat Prevent 10.5.2 with Hotfix3 and last agnet 5.0.6.220.

                Thank you very much for your feedbacks guys.