Endpoint Protection

Anyone knows if SEP 14 still has troughput problems with 10gb interfaces as seen on:

 

https://www.symantec.com/connect/forums/slow-10gbps-network-when-symantec-endpoint-client-installed

and

https://support.symantec.com/en_US/article.TECH92440.html

 

I looked over on release notes and didn't see a mention to this problem. I think the TECH 92440 its the only mention of this issue by Symantec.

 

Anyone has more input on this situation ? Its unexpected to company this big go for so long without a fix.

 

Doesn't seem to be any follow up on it. You may need to engage support to see if anything has changed internally.

I did some testing with 14 MP1 a few weeks ago. Seems like there are some improvements. To get full throughput do one of the following: 1. Run only the AV component & Sonar 2. Disable IPS through policy (in 12.1 you had to remove the component) 3. Create an IPS exclusion for the host you need 10gbps traffic for. (in 12.1 you had to remove the component)

I just did my own tests with SEP 14 MP1 (14.0.2349.0100).  Created two identical Server 2012 R2 VM's with 2 vCPU and 4GB memory each.  Our hosts have two 10 Gb data interfaces, and the VM's use the VMXNET 3 interface, which shows a 10 Gb connection.

My test conclusions:

1)  Running all components with their policies had noticeable effect on throughput, reduced to about 1/3 original throughput.

2)  Withdrawing IPS, Firewall, and ADC policy gave some improvement, but still only about 1/2 original throughput.

 

How I tested and results:

I used LAN Speed Test (Lite) from one server, with the target being the C$ admin share on the other server and a packet length of 1000 MB.

First test before SEP installed:

Writing: 3000 - 3700 Mbps, Reading 2500 - 3200 Mbps       Readings varied fair amount, our hosts do have a good amount of load on them.

 

Install SEP with all server components (no email scanners) on both servers:

Writing: 900 - 1100 Mbps, Reading 900 - 1100 Mbps    Readings more consistent

 

Withdraw all policies except for Virus and Spyware Protection, LiveUpdate, and Exceptions.  (No exceptions made for these servers):

Writing: 1400 - 1600 Mbps, Reading 1400 - 1600 Mbps  Readings more consistent

 

Uninstall SEP and reboot:  Readings were same as first test, before SEP was installed.  Nice to know that uninstall didn't leave any slowdown components.

 

Install SEP again with only Virus and Spyware Protection: Readings about same as first test (no SEP installed).

 

Of course your tests may vary, and this is for one large file transfer, but i thought it was interesting and decided to share it.  Maybe others could share their testing results?

Robert.

To get completely rid off the SEP network driver, the only component you need to have installed is "Virus, Spyware and Basic Download Protection". If you do not remove the "Advanced Download Protection" component below the above one, SEP will still have the network driver installed and you may have problems with bandwith etc.

@Jarkom: Seems like that has changed in SEP 14 MP1. From our testing we were able to get full speed with iPerf by just disabling by policy. Even by just adding an IPS exclusion we got full speed. This was something we really missed in 12.1 

Just remember that SONAR in 14 now has a setting for remote scanning that should be disabled. 
 

any other news about this problem

without IPS installed i get double speed

 

I think 100% speed on 10Gbps with IPS enabled is almost technical impossible. 

Imagine. You have a 1GB plain text file.

1 GB = 1,024 MB = 1048,576 KB = 107,3741,824 bytes

An ASCII character in 8-bit ASCII encoding is 1 byte; so, we get 107,3741,824 characters.

Assume an average of 5 characters per word, plus a space (6 characters) = 178,956,970 words.
At 200 words per page, that's 894,784 pages.

There are roughly 900,000 ACSII text pages per 1GB of text.

Since we are talking about Gbps and not GBps we can divide 10Gb by 8 and we get 1.2GB
This still makes 1.08Million pages!! (900.000*1.2)  

Now imagine that you have a dictionary with naughty words, your job is to scroll through that 1Million page document to see if you can find any naughty words. You have the check every word in the document against the dictionary. And as if this task is not hard enough, you get handed a new 1Million page document every second!! 

If you look at network based Intrusion Prevention Systems that are able to scan 10Gbps they are crazy expensive and with really powerful physical hardware. After playing with the numbers I am actually impressed with the speed SEP is able to scan through network traffic! 

As recommended by Symantec. Do not use IPS on servers that require 100% throughput on 10Gbps interfaces. 

normal ?

Just out of curiosity. Are you using iperfv3? Seems like that version gives more consistent and stable results. Or when using the "-p 10" parameter. From our testing this gave the most stable results, both with or without IPS activated.

With linux to linux on 10Gb hosts using iperf3 and no sep, i can get 8Gb or ~1GB transfer speed

iperf3 used