Endpoint Protection

Since upgrading from SEP 11 to SEP 12.1 we're seeing many machines with big performance issues, where some apps freeze and sometimes explorer and general system performance is terrible. It all goes away when we disable the Sonar component. Has anyone else seen this?

...and have a reasonable number of open apps, I can't really see why you'd be seeing any slow down.  I've not seen any detrimental performance impact caused by SONAR, even on our older machines.  Bearing in mind SONAR has got it's beady eyes on everthing running now.

Soooo, if it's not a local resource issue (CPU/Memory/Disk Queues are all normal) you may want to check if the other things SONAR does are alright, including contacting Insight.

Make sure the client can contact all the Insight URLs (listed here http://www.symantec.com/docs/TECH162286), or perhaps even try disabling the Insight lookups to see if it affects performance?  The easiest way to test this is to find a test group, and amend the External Communications Settings of the group to clear the 'Allow the Insight Lookups' checkbox (not recommended in a normal configuration).

Thanks, I'll give that a try.

Interestingly one of the clients would freeze up for a minute then eventually detect the running application as a virus (Generic Sonar) and delete it, so it's definately around the SONAR component. On another, it would freeze but not detect anything.

Hello,

SONAR is the real-time protection that detects potentially malicious applications when they run on your computers. SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats. 

I personally would not recommend you to turn it off.

However, would suggest you to please check this Article:

Improving client and server performance

http://www.symantec.com/docs/HOWTO55341

Hope that helps!!!

It looks like it is/was down to internet access - the clients can't authenticate to our proxy and so couldn't look up the apps (most of which are not well known or in-house). So that resolves the issue, but it isn't ideal that all the clients need direct access. Is there a way of telling the clients to authenticate via a proxy, or use the SEPM servers for lookups instead?

... and it's all set in the section I mentioned earlier too!  Sooo, go to Clients, and highlight a group, then hit the Policies tab for that group, and in the upper-right area, hit the "External Communications Settings" link.

As I posted earlier, this is where you can disable/enable the Insight lookups, but is also where you can set the proxy settings for SEP Clients to use when performing Insight (two proxy tabs are provided, one for Windows and the other for Mac, and should not be confused with the proxy settings for LiveUpdate if enabled).

Hope this all helps.

#EDIT# Another option is to allow a bypass of your proxy for the Insight URLs, these were identified in the article in my earlier post.

It seems that this new version of SEP have lots of problem.