|RSA Product Set: RSA NetWitness Endpoint|
RSA Product/Service Type: RSA NetWitness Endpoint
RSA Version/Condition: 18.104.22.168, 22.214.171.124
|Issue||When both NetWitness Endpoint agent and Microsoft System Center Endpoint Protection are both installed and the live monitoring in SCEP is also enabled performance issues become severe on the endpoint. An example is a Microsoft Office install; a 16 minute installation was dragged out to as long as 6 hours or more. This applies to installs but also to running executables.|
|Cause||Below is a screenshot showing the types of live monitoring settings enabled in SCEP:|
|Resolution||The permanent fix is in the 126.96.36.199 version where the hotfix is incorporated. There is also two workarounds:|
- There are two ways to get the agents to work together, both disabling functionality:
- Request support to help generate an expert mode agent that disables the file monitor on the target agent. This is the less desirable workaround as it disables most of the agents functionality.
- Disable the Real Time protection of SCEP by disabling the checkbox under Settings>Real-time protection in the SCEP settings. This is easier, as it only requires changing a checkbox setting in SCEP and allows the Endpoint agent to continue fully functional.
- Additionally there is a test agent that contains this fix prior to 188.8.131.52 but requires approval from engineering to use.
|Notes||The filters in SCEP, notably mpfilter.sys seems to be related to the IO processing. This interrupts actions within the ECAT agent related to computing blocking hashes, hence why the process takes so long, the timeout periods expire causing the long duration of installation when the two monitors are enabled.|