Endpoint Protection

I have been evaluating the Symantec System Recovery Desktop Edition backup and recovery software and I noticed that if I backup over the network smc.exe from SEP runs at a very high utilization rate for about 30 seconds, then drops to almost nothing for a few seconds, and then spikes again.

At first I figured it was auto-protect causing the issues but that doesn't seem to be the case because this issue doesn't happen if I backup locally to a thumb drive or external USB disk. I also disabled NTP and the high CPU utilization goes away almost immediately and then if NTP is enabled it comes back again. The other interesting note is that when NTP is enabled the time for the backup completion increases and then after NTP is disabled the time to complete drops a pretty good amount.

My firewall rule is set to allow all with no logging. I do have IPS enabled as well. Device control is enabled but is not actively blocking anything, monitoring anything, or logging anything.

Since I'm not logging with the firewall or blocking I'm not sure how I get around this issue? It's as if I need a way to ignore the traffic generated from this application but all I can do is allow or block it.

Anyone experienced these issues as well?

SEP RU6 MP2 and SSR 2011 desktop edition on Windows XP Mode

in AV policy, there is an option to scan when file is access and scan when file is modified, what options have u checked?

I dont think AV is having much of an effect here.

I would suggest you try adding the backup server into the auto-block exception list in the IPS policy, that should prevent the IPS engine from scanning the traffic, but its still not going to be as fast as having no IPS at all. 

Hi,

even if the firewall is set to allow all  traffic, it still introduce a latency, remove it if you are not setting any effective rule.

Removing the firewall policy is not an option. At some point it will have more than just allow rules so I need to figure out the answer with it enabled.

By the way I don't have this issue with another Enterprise Class backup solution and I use the exact same SEP policy.

I will give it a try but I can handle a little overhead but when SMC is at 50 - 60% it wont be acceptable to our users.

That being said if this is the firewall and not IPS then the ignore on IPS wont help much. How about looking at adding the ability to ignore the firewall in the future at the application level instead of allowing or denying. This prevents traffic from being scanned by the firewall. I've seen a couple other enterprise class client firewalls with this feature.

if its the firewall too, then this will help a little, as some of the IPS "features" are actually performed by the firewall engine.

Hi Paul !

How do you add add  the backup server into the auto-block exception list in the IPS policy and also how do you create exceptions in IPS .

see here: http://www.symantec.com/docs/HOWTO55407