7 Replies Latest reply: Apr 12, 2013 4:12 PM by kenobe RSS

    Slow Saving HIPS 8 Policies in ePO 4.5 patch 6

    jpeg9999

      It takes about 1-15 minutes to save an IPS Rules policy on our ePO server.  It is running 4.5 patch 6 on SQL 2008 R2 on 2008 Server R2.

       

      Saving any other policy is fine.

       

      How best can we troubleshoot this problem?  Any input is appreciated.

        • 1. Re: Slow Saving HIPS 8 Policies in ePO 4.5 patch 6
          hbssadmin

          Has this been resolved or are you still waiting for feedback?

          • 2. Re: Slow Saving HIPS 8 Policies in ePO 4.5 patch 6
            HerbSmith

            It is very slow with HIPS 8.0 P2 and latest extensions when running ePO 4.6 P4.  When making IPS exceptions it can take 2-4 minutes.  When saving the policy it can take up to 5 min.   Seems to be related to number of exceptions in the policy.   Once they get past about 5 things go downhill.

            • 3. Re: Slow Saving HIPS 8 Policies in ePO 4.5 patch 6
              StefanT

              I'm glad I'm not the only one with this issue, ePO 4.5 patch 5 and ours takes around 10-15 minutes to save. I do have a large number of bespoke signatures but not 1000's!

               

              Another 'feature of the product'

               

              Stef

              • 4. Re: Slow Saving HIPS 8 Policies in ePO 4.5 patch 6
                HerbSmith

                I have had ticket open with Platinum support for almost two weeks now.   It is going nowhere.   Saving of IPS rules takes well over two minutes.   Even Firewall rules are taking much longer than before.  The ePO server itself is not overly busy,  but the problem appears to be on the SQL server side.  Our lead DBA tells me they see blocks being put on transactions when I try to save HIPS rules.  It appears trying to save the rule puts a block on the processing of routine client updates.  Then waits for those in process to clear, and then does it processing and saving.   In looking at the ePO counters on the ePO server the number of client requests processed goes to zero.   The number of open client connections zooms up, many times hitting the 244 max.  CPU activity spurts for a few seconds as client connections go up.  Then client requests start getting processed again and the number of connections returns to normal. 

                    2 minutes to create an exception from an event, and then another 2-3 minutes to edit save the rule makes working with HIPS a problem.   And some of the new rules with HIPS 8.0 P2 need LOTS of tuning.

                • 5. Re: Slow Saving HIPS 8 Policies in ePO 4.5 patch 6
                  StefanT

                  Let's hope it gets fixed, we've learned to live with it........................amend policies...............save..................go for coffee (and maybe lunch)!

                   

                  Stef

                  • 6. Re: Slow Saving HIPS 8 Policies in ePO 4.5 patch 6
                    HerbSmith

                    Just heard from support.  "it is running as expected"   If you have a large number of rules it will take awhile.   I have been timing things this afternoon.  I have done at least 8 saves between creating new exceptions from events and editing the actual polcy.  Typical time to save 3 min 15 sec.  Best time 1:59 Sec.  I have wasted close to a 1/2 hour just today.

                    If buffer overflow rules 985 and 6032 were not tripping on well known MS products all the time for all kinds of different reasons I could get rid of close to 40 rules.

                     

                    I was also advised to put in a Product Enhansement Request.   The black hole of ideas.

                     

                    Thanks

                    Herb

                    • 7. Re: Slow Saving HIPS 8 Policies in ePO 4.5 patch 6
                      kenobe

                      Same problem at my site.  We had serious issues on 4.5 MR4 and were told to wait until MR5 then all would be good.

                       

                      It's just as bad on MR5.  Edit policy, no problem.  Save policy, wait 20 mins, screen timeout, click ok, wait 20 more mins, get logged out.  !@^#@!$^!@^$@

                       

                      This is ridiculous.