Jump to content

ESET on Win 2K19 File Server - Connectivity issues


Go to solution Solved by bouke,

Recommended Posts

Server: Windows Server 2019 (1809) DC | ESET Server Security 8.0.12010.0
Client: Windows 10 (21H1) Pro | ESET Endpoint Antivirus 9.0.2032.6 + ESET Endpoint Security 8.0.x - 8.1.x

We are running a file server (details above this line). This server is connected to the 10 Gigabit backbone. 
We are having several client computers. Most are connected to access switches at 1 Gigabit. 
I did run tests from a test VM with Windows 10 and ESET Endpoint Antivirus 9.0.2032.6 (instead of Endpoint Security). 

When the file server is freshly rebooted everything works absolutely fine. We did assign 12 GB RAM and 12 cores to this Hyper-V. Everything runs smoothly. When we run ESET Server Security 8.x on the server the connectivity (SMB) becomes sluggish. 

However: when we downgrade to ESET File Security 7.3 everything runs fine for weeks - month (up time depends on reboots / updates). We had some modules disabled like HIPS during testing - and left it disabled. 

Running ESET without HIPS is not recommended. During the last update round we decided to upgrade to ESET Server Security 8.0. Unfortunately the connectivity (SMB) became sluggish again. 

We have had this issue before and that made us decide to roll back to version 7.3.

I did call ESET (Netherlands) and was advised to disable "Network drive scanning" for the client computers. We did change this through ESET PROTECT Cloud by changing the policy. The policy has been applied to my test W10 VM - but the sluggishness was still there. 

I decided to disable the option "Protocol SMB" under "Intrusion Detection" (of the IDS) and see what happens. Still slow...

I decided to reboot the file server and everything works fast as it should. Server up time is 02h 50m at the moment. Opening Word documents is fast and closing Word is fine. 

The users experienced issues with opening and saving files. Closing applications like Word took 8 seconds. Normally opening and saving files takes less than a second. Closing Word normally takes a split second. 

Some time ago (we are talking about months) we had this similar problem and what we observed was that the sluggishness / slowness appears in about a day. 

The server is a HP Proliant G10 with SSD storage. All other VM's aren't affected. It runs with 512 GB of RAM. There's also a second file server for the factory. The speed is less important - but I did some tests on that server too. I can open and save files as expected. That VM has only 4 GB RAM and 4 CPU cores. It runs fine with ESET Server Security 8.0.12003.0. 

I will re-test the affected file server during the weekend and see if connectivity becomes sluggish again. 

I would like to know if this is a known issue and if there's a known fix for this. Thank you. 

Edited by bouke
Typo (file security had to be server security) + typo Untrusion / Intrusion
Link to comment
Share on other sites

  • Administrators

This is definitely a kind of issue that needs to be reported via a ticket and troubleshooted with the help of technical support.

Just to make sure, is scanning of network drives disabled both on the server and endpoints?
Does temporarily pausing real-time protection make a difference when experiencing slow opening of files?

If not, technical support should provide you with instructions how to rename ESET's drivers or unregister callouts from WFP and thus narrow it down.

Link to comment
Share on other sites

1 hour ago, Marcos said:

[..]
Just to make sure, is scanning of network drives disabled both on the server and endpoints?
Does temporarily pausing real-time protection make a difference when experiencing slow opening of files?
[..]

Thanks. Technical support's advice was to only disable network drive scanning on the clients. It isn't disabled on the server. 

I just did a new test now the server's up time is over 13 hours. Everything works as expected: fast / smooth. 

There aren't much sessions / open files at the moment as it is weekend. I will check again this in about 10 hours (it's evening then). And i will check Sunday morning. If everything becomes sluggish again, I'll contact ESET Support Netherlands again. 

I will pause real-time protection during the test when the connectivity is sluggish (and report back). 

Edited by bouke
Addition with regards to pausing real-time protection.
Link to comment
Share on other sites

A quick update as I was tinkering with the file server. When I open "Sessions" under "Shared Folders" in "Computer Management" the list becomes populated with sessions. The issue is that the list disappears (clears) and then reappears. This happens 2 - 3 times in a row. And sometimes it "loops". I can only stop this by pausing antivirus and antispyware protection. This is at the server. 

What I did notice too is that - after enabling Antivirus and antispyware protection again - Server Security informs me about a security risk. The alert reads: Security alert; Email protection by client plugins is non-functional; The functinality could not be started and your computer is not protected against some types of threats. I can just dismiss this and everything seems to be fine. But after a few minutes the problem is present again. The status in ESET reads that everything is fine after logging in again. 

Link to comment
Share on other sites

  • Administrators
2 hours ago, bouke said:

I can only stop this by pausing antivirus and antispyware protection.

The best would be if could narrow it down and pause only real-time protection. If that makes a difference, you can try fiddling with real-time protection scan-on-event settings.

Link to comment
Share on other sites

I might have found something.

What I did notice is that the problem appears after some time (days). I did notice 3 things:

  1. the "Idle session time (min)" was insanely high: 14.400 minutes
    - I did find this by running the "net server config" command
    - 14.400 minutes = 10 days (I believe the default is 15 minutes)
    - I suspect that the policy was to be set to 4 hours and was accidentally set to 240 hours...
  2. when the option "Protocol SMB" under "Intrusion Detection" (of the IDS) is active on both the server and the clients then the amount of (passive) sessions seem to increase (and I think it happens because how this option works - but I am not sure)
  3. the other file server (for the factory) doesn't have that much sessions during the day (less users connect to the shares and there are no home shares on that server). 

When I reboot the affected file server the idle states will be gone and the problem won't appear directly. It will take one or two days. 

What I did is to change the idle session time to 720 minutes (12 hours). I did read that the default is 15 minutes. 12 hours should be more than enough to avoid complaints about temporary disconnected home shares during the workday. I intend to change this to 180 minutes (as I think that's how it was conceived).

Besides that I could schedule a PowerShell command like the following which will clear any session older than 15 minutes to be run in the morning (eg at 05:00 in the morning): 

Get-SmbSession | Where-Object {$_.SecondsExists -gt 900} | Close-SmbSession -Force

I can check the sessions with the "net server config" command again or list the session with PowerShell:

Get-SmbSession

Please note the difference: net server config is in minutes and Get-SmbSession is in seconds $_.SecondsExist).

Further reading:

Please note the difference between LanmanServer and LanmanWorkstation! I am applying the idle session time for the file server - so I have to apply the time to "KeepConn" under "LanmanServer".

Link to comment
Share on other sites

I did also notice something else:

When I look around in documentation the value should be entered in seconds but it looks like these are minutes!

When I check the sessions there are sessions connected >6 minutes. So, the value "360" is not in seconds. 

Link to comment
Share on other sites

  • Solution

I think this is resolved.

The parameter autodisconnect  under LanmanServer was set wrongly. 

Apparently the KeepConn parameter under LanmanWorkstation (for workstations) has to be set in seconds but the parameter AutoDisconnect under LanmanServer (for servers) has to be set in minutes.

The latter parameter was set too high resulting in a lot of (very) old sessions...

Edited by bouke
Typo
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...