000035457 - RSA NetWitness Endpoint Agent Performance Issues when SCEP is fully enabled

Document created by RSA Customer Support Employee on Aug 24, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035457
Applies To
RSA Product Set: RSA NetWitness Endpoint
   RSA Product/Service Type: RSA NetWitness Endpoint
   RSA Version/Condition:,

IssueWhen both NetWitness Endpoint agent and Microsoft System Center Endpoint Protection are both installed and the live monitoring in SCEP is also enabled performance issues become severe on the endpoint. An example is a Microsoft Office install; a 16 minute installation was dragged out to as long as 6 hours or more. This applies to installs but also to running executables.
CauseBelow is a screenshot showing the types of live monitoring settings enabled in SCEP:
User-added image
ResolutionThe permanent fix is in the version where the hotfix is incorporated. There is also two workarounds:


  1. There are two ways to get the agents to work together, both disabling functionality:
    1. Request support to help generate an expert mode agent that disables the file monitor on the target agent. This is the less desirable workaround as it disables most of the agents functionality.
    2. Disable the Real Time protection of SCEP by disabling the checkbox under Settings>Real-time protection in the SCEP settings. This is easier, as it only requires changing a checkbox setting in SCEP and allows the Endpoint agent to continue fully functional.
    3. Additionally there is a test agent that contains this fix prior to but requires approval from engineering to use.
NotesThe filters in SCEP, notably mpfilter.sys seems to be related to the IO processing. This interrupts actions within the ECAT agent related to computing blocking hashes, hence why the process takes so long, the timeout periods expire causing the long duration of installation when the two monitors are enabled.