Video Screencast Help

.zip file moving time is so long installed DLP Agent Machine

Created: 05 Jun 2012 | 10 comments
thetick's picture

Hi,

When I moving 20mb or larger .zip/.rar file to removable storage this move or copy time is very long (10-15 min)on the installed DLP agent machine.

What is the best practice about that issue on agent configuration?

thank you

Comments 10 CommentsJump to latest comment

stumunro's picture

tick,

from what i can gather you are running a endpoint scan the zip files are taking to 20 mins to complete...

one  option may be to exlcude .zip files from the endpoint agent scan to speed this up? if you could share somemore into this would be appreciated... or let me know if this works

Denis Kattithara's picture

You may want to review your detection policy and tweak some rules to optimize performance... Irrespectively, as long as files are being monitored you will expect some latency during copy..

Denis John Kattithara

Partner Assist Services

Symantec Corporation 

stumunro's picture

also if you are doing discover scan look at the nic and switch port settings, make sure they are the same speed and MTU/duplex, lok them in as they may be in a mismatch

Keith Reynolds - ExchangeTek's picture

You could consider decreasing the max file size on the Advanced Settings page of the Endpoint server. This is by default set to 30 M, meaning you're going to be inspecting the first 30 M of any file.  It has an alternate meaning on archive files however...it means you're going to scan the first 30 M of each file extracted from the archive, hence the performance issue with copying your zip file to a USB.

Since this is a server setting, however, it's going to apply to any file that is inspected by the agent, so you need to figure out the appropriate balance between performance and inspection depth on files.  Expect to play with this for a little while until you get the right balance through iterative testing.

~Keith

DLPguyNJ's picture

I have seen this issue before where files copied to Removable media lag for 15 minute +, lowering the the max file size or removing the file type from scanning are good solutions. I have been doing testing in our environment tweaking some settings trying to find a good balance between detection and endpoint lag due to processing.

One thing to keep in mind is that when you add the DLP Agent to an endpoint it can take multiples of up to 10x as long to copy depending on the hardware of the machine (this was verified by support). v11.5 is supposed to lower that multiple to between 3-5x as long to copy a file.

There are many different things within the agent configuration that can be adjusted to change how larger a file to scan, or the duration of a scan of an individual file being copied. Please provide the hardware of the machine and the agent configuration details that you are using in your environment for further assistance.

yang_zhang's picture

Because the DLP agent need some time to unzip the compress file and scan the content.

One suggestion:

Configure your DLP to only scan the file that smaller than 20M, and, change your policy to forbit the copy of file that bigger than 20M.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
Amit Riswadkar's picture

It may be worthwhile to see what's in the Zip file. We've found that scanning DLL and Exe hurts scan performance. 

Artem's picture

Hello,
The DLP system allows to limit the max file size for scanning, but Is it possible to limit the depth of scan archive files by agents?

kishorilal1986's picture

As zip file are compressed and takes more time to process and read so it taking time.

Vontu has no theoretical depth limitations for scanning.  Directory levels are not limited during scanning.

Artem's picture

I think the feature for limit the depth of scan archive files is demanded. Does the Symantec Company have plans to implement it in the new versions?