Endpoint Protection

We recently upgraded to Avid Media Composer 5  (v 5.5.3) on the Avids in our office and now we are having a problem whereby the Network Threat Protection feature on Symantec Endpoint Protection (v 11.0.7) is affecting the bandwith for working with video and audio files on our media server.  The bandwith is greatly reduced and it's basically slowing the transfer speeds of the video and audio files when we try to access those files from that server.  When we turn Network Threat Protection off then we reach our full transfer speeds when accessing the media server.  The Avids are running on Windows 7 and Windows Vista computers.

Is there a way to program Network Threat Protection to indicate that the Avid Media Composer application is a safe application and allow all communication under that application to continue unimpeded?  I would rather tell it to ignore this application rather than completely turn it off if that is possible.  If that is not possible then would it involve something else?  Such as allowing certain IP addresses full and complete access.  Any help on this matter would be greatly appreciated.  Thanks for your time.

can you can set the application rule and allow the traffic? does that help?

Hi,

there's a big difference if the traffic is blocked or just slower.

NTP is just a firewall, you may allow or deny a specific traffic, not speed up or slow down it.

If Avid requires specific traffic to be allowed and NTP is blocking, it is unlikely that Avid can just work, however you should see blocked traffic in the NTP logs.

If there's no evidence that a specific traffic is blocked, there's no need to allow it either by ports, process name, source, etc...

The firewall basically catches the packets and compare them with a set of rule, those rules can be to allow or block the traffic, but even to say "this specific traffic is OK", it must be compared with a rule to distiguish it. Hence, adding rules to allow a traffic that is not blocked will just add another comparison, hence further time to process the traffic.

You did not specify how much slower is the data transfer but be aware that having a firewall which filters packets adds a workload that always results in slower traffic.

And would then lock up.  Sorry for not being more clear.  The data transfer speeds were almost cut in half when we tested for speeds and would go back up to their normal rate when we turned Network Threat Protection off.  How would I set an application rule to allow traffic?  Is that under policies within the Intrusion Prevention policy?

This video shows how to Allow and Block websites using Symantec Endpoint Protection Firewall.

http://bcove.me/82e9yf7p

Is your media server equipped with SEP and NTP? If yes, consider to disable IPS (put the server in a separate group with disabled IPS).

Have a look at this document:

Best Practices for employing Intrusion Prevention System (IPS) to high-availability/high bandwidth servers

http://www.symantec.com/docs/TECH162135

In 12.1.1, when you install SEP there are choiced to be made.  There are install types that supply HIGH Security for a workstation (they call it client, I think) and there is high security for a server and basic security for a server.  On your media server, I would go with basic server and skip the network/intrusion stuff altogether.  Even then, if files are being transferred, you may want to avoid scanning (especially realtime protection) files with extensions relating to the media stream.  I'm guessing that the video stream may be UDP traffic so you might want to put in exceptions there.  If you are pretty certain that NTP is causing the slow down to examine each packet, you can set up exceptions in NTP and IDS policies for that type of data.

To update this thread I created a new rule within the Firewall policy telling it to allow traffic from the IP address of the media server.  I moved this rule to the top of the list as well to give it priority.  I also went into the settings of the Intrusion Prevention policy and checked "Enable excluded hosts."  I then included the IP address of our media server for this setting as well since it states that "all traffic to and from these hosts will be allowed."  This seems to have partly worked as now I can write to the server with faster bandwith speeds but when reading from the server the bandwidth speeds are still considerably reduced.  Symantec allows outgoing traffic but still regulates incoming traffic.  When I turn Network Protection off then it goes back up to a faster speed once again.  The media server does not have SEP or NTP installed.  As another aside I tried disabling all the blocking rules within the firewall policy to see if the bandwidth speed would be unaffected but I still got slower reading speeds.  It seems that Network Threat Protection is a bit aggressive in its regulation of traffic.  Perhaps I should turn that off entirely.  Is there a way to turn it off completely?  I have tried but it always turns back on once I reboot the client computer.   By the way this is Symantec Endpoint Protection (v 11.0.7) so 12.1.1 does not apply to me.

NTP, Firewall and AV.

As with all application, the slow down is to be expected.

There are componnets at play here (on the client) qhich are scanning al the incoming data to the machine from the server.  The Firewall and the AV will be responsible for this.

12.1 may help.

You can create an exception (not recommended) to allow all traffic bi-directional to and from the server not being scanned.

You can try turning off the AV/NTP components on one of your clients and test to see if the bandwidth issue is resolved... 

To turn NTP off, you may remove it by changing the SEP installation from the Control Panel > add/remove programs.