Endpoint Protection

We have a number of windows test machines that are used as clients to servers running the runtime variant of a product. Since upgrading to SEP12 we have noticed a major throughput impact i.e.

For testing we run a simple Java based application (Perfharness). This reads in a single config file and then will do all its work over HTTP. Without SEP enabled on a given machine we can get around 19,000 messages/second but as soon as we turn on SEP (more specifically the file system auto-protect) the rates will drop to ~8,000. (On a machine where we have Windows Client & Server the impact is 37,000 -> 14,000!). 

Looking at the stack of the Java process we can see that SEP is a major CPU factor - With SEP Enabled:

 PID  58803 10.45    java.exe_12d8

    MOD  21971  3.90     C:\ProgramData\Symantec\Symantec-Endpoint-Protection\12.1.4100.4126.105\Data\Definitions\IPSDefs\20141125.011\IDSvia64.sys

    MOD  17657  3.14     C:\Windows\system32\ntoskrnl.exe

    MOD   3979  0.71     JITCODE

    MOD   3409  0.61     c:\progra~1\ibm\java70\jre\bin\compressedrefs\J9THR26.dll

    MOD   2780  0.49     C:\Windows\system32\DRIVERS\NETIO.SYS

    MOD   2720  0.48     C:\Windows\System32\drivers\tcpip.sys

without SEP

PID  84225 11.42    java.exe_0df0

    MOD  17241  2.34     NoModule

    MOD  16997  2.30     c:\progra~1\ibm\java70\jre\bin\compressedrefs\J9THR26.dll

    MOD  16528  2.24     C:\Windows\system32\ntoskrnl.exe

    MOD   7569  1.03     C:\Windows\system32\DRIVERS\NETIO.SYS

Does anyone know whats causing this? We see much higher Kernel Cpu time when SEP is enabled. We have been told we are not doing the network intrusion so don't understand why its causing such an impact.

(This is a managed client - Version 12.1.4100.4126)

Do you have the option to scan remote machines enabled?

In the AV policy go to the Auto-Protect page >> Scan Details and under Network Settings is this enabled?

No we don't have "Scan remote machines" enabled

The numbers you posted certianly seems to suggest the IPS component is installed (even if it's not used).  I'd suggest going through "add/remove programs" and ensuring the IPS component is completely removed from the machine (and not just disabled via policy).

According to the installer the only part currently installed is the "Virus, Spyware and Basic Download protection"

...I wonder what "Basic Download protection" is

It's just the files needed for the AV piece to function and provide protection upon initial install.

Oh, in that case, then the C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4100.4126.105\Data\Definitions\IPSDefs folder doesn't really do anything (as IPS is not installed).

I can confirm this folder does not exist on my machines that omit the SEP IPS component.  So perhaps you'd like to test by removing the folder?  I see no reason why it'd involved with your java process.

Deleting the folder is not as easy as it sounds. Even with full admin privileges it won't delete as I guess its loaded in virtually every process running. I need to try and hack the service not to start on boot.

Disable tamper protection and try deleting it.

tried that but it didn't seem to make any difference