When reviewing my Threat Event Log I find an event and try to import that as an exception to my HIPS 8 IPS policy. It literally takes 30 minutes to finish "Creating Exceptions".
Then, I go into the IPS RULES policy and verify the Exeption Rule. I hit SAVE and wait at least 30 more minutes.
This is a fresh ePO 4.5 MR5 server with multiple CPUs and 64GB of memory (all virtual). SQL is on the same box as the ePO server.
Why does it take so long to edit a single rule? Granted, I have 26 pages of IPS rules but a beefy server should be able to handle this, right???
Message was edited by: kenobe on 4/16/13 12:45:42 PM CDT
Message was edited by: kenobe on 4/16/13 12:46:11 PM CDT
This has been a long standing issue for us. IPS policies take a remarkably large amount of time to save, even with very clean policies and good tuning practices. It seems that the amount of time it takes is directly related to the size of the EPOProductSettings table. If you have Policy Auditor 6.0 installed, you can check the size of this table by using the "PA: Table Space Usage" query.
You can do some things to reduce policy sizes, and that does actually seem to help. For example, try to remove the Application Protection Rules from any non-McAfee Default IPS Rules policy. You can also delete unused policies that are just taking up space.
One other odd thing you can do is to change your server's power settings in the BIOS and in Windows. If you turn everything onto "high performance" mode, it actually makes quite a bit of difference. Good luck.