Serieus performance issues on Mac computers

[Marco Maes 1]

Hello,

 

This week, we started to use ESET Endpoint Security Advanced for Mac. Here is some information about our implementation.

We use ESET Remote Administrator:

ESET Remote Administrator (Server), Version 6.4.304.0

ESET Remote Administrator (Web Console), Version 6.4.281.0

 

At the time of posting this topic, we have 32 Clients using ESET Endpoint Security Advanced for Mac version 6.3.85.1 and all are deployed using the EraAgentInstaller generated by the ERA Server.

 

The clients all have different OS versions. The oldest is 10.10.5 and the most recent is 10.12.1.

 

We applied the policy that was build in: Antivirus - Maximum security. Then we also applied a custom policy to exclude TimeMachines from being scanned as everybody is connected to a TimeMachine on our NAS (Synology). The policy defines the following folders from being excluded in Real Time Scanning:

/Volumes/*/*.sparsebundle/*.*

/Volumes/*/Backups.backupdb/*.*

/Volumes/Time Capsule/*.*

/Volumes/Time Machine/*.*

/Volumes/Time Machine Backups/*.*

 

Since everybody is using this configuration, everybody is complaining about performance issues. Here are some of the complaints:

• A spinning "beachball"
• E-mail extremely slow (seconds to switch between two e-mails (using secure IMAP)
• Laptops that cannot reboot without a hard reset
• Complete random freezes for a few seconds
• Webpages sometimes won't load

For now we lowered the policy from Antivirus - Maximum security to Antivirus - Balanced to see what happens. But I cannot believe that a good protection provided by ESET has this much impact that systems our barely usable anymore.

 

Can someone help? Maybe there are more people with the same problems... Or better, maybe someone knows a solutions.

[j-gray 26]

Perhaps similar issues to this thread:  https://forum.eset.com/topic/8696-eset-endpoint-security-for-mac-os-x-startup-issue/

 

At least for us, performance is OK once we get passed the delay at startup/logon. Are you in an Active Directory environment?

 

I would recommend disabling all but real-time protection, and setting it to the least restrictive settings. Then enable other pieces bit by bit to see what causes the most performance issues.

 

It will be slow and painful, but there appears to be little support from ESET for the Mac clients --my ticket is going on 2 months now with little response.

[JennerFrancis 0]

Been there man, it sucks. Here's some tweaks to get your group back up and running:

1. Disable system file startup scans. You can only turn them off through ERA. 
2. Disable email file startup scans thru ERA.
3. Disable email client and email scanning thru ERA.

After a fresh client install the machine will have some lag processing all of the definition updates. Should subside after the third restart. Also, ESET's repository has a horrible slow pipe, we ended up creating an internal update mirror to bypass every client dialing back to ESET's repository. 

 

Good luck!

[kingoftheworld 10]

Please open tickets with support!  Those of us that have are often not getting anywhere because there hasn't been enough people reporting the issue.

[tmuster2k 22]

Using the Maximum Security option is not ideal. This is not the default setting after installing a ESET Stand alone product. The default provides security and performance. MAX security will add latency based on the extra scanning it is doing outside of the default settings. 

[Marco Maes 1]

Tnx for the responses and tips. I opened a ticket as you suggested en we are working on it. Will let you know when the problem is fixed and how it was fixed. Till then, let's try your ideas by turning everything off and slowly turning things on...

[Peter Randziak 924]

Hello guys,

 

we have few reports of such behavior, but sadly we were not able to reproduce it in-house, which would speed the analysis a lot.

Does anyone know steps how to reproduce it? Let's assume I have just a clean MAC computer and I would deliberately like to have the issue.

If not it would help us to know, which protection layer causes it. I would recommend to disable all of them on a testing device and turn on by one on and let us know.

 

Thank you for your help, P.R.

[j-gray 26]

Thanks for posting, Peter.

 

In our case (refer to my link above), it's strictly a startup issue and affects all OS X clients (we have 10.11.5 and 10.11.6).

 

The clients are joined to Active Directory via OS X native Directory Utility.

We've disabled all components, except real-time protection, and set those options to least impact.

Then; install the agent via ERA, then install the AV client via ERA.

On subsequent network/domain logins, the systems hang for 2-5 minutes until the ESET icon finally appears in the menu bar. After that, everything appears to function properly.

 

We have no unusual applications or configurations that should cause issues or conflict with AV.

[kingoftheworld 10]

Thanks for posting, Peter.

 

In our case (refer to my link above), it's strictly a startup issue and affects all OS X clients (we have 10.11.5 and 10.11.6).

 

The clients are joined to Active Directory via OS X native Directory Utility.

We've disabled all components, except real-time protection, and set those options to least impact.

Then; install the agent via ERA, then install the AV client via ERA.

On subsequent network/domain logins, the systems hang for 2-5 minutes until the ESET icon finally appears in the menu bar. After that, everything appears to function properly.

 

We have no unusual applications or configurations that should cause issues or conflict with AV.

What version of ESET Endpoint are you running?

[grettir 0]

We've been battling almost identical issues here.

 

First of all, keep in mind that managed Mac clients may be ignoring exclusions right now, and ESET + Time Machine can bring a system to its knees. See: https://forum.eset.com/topic/9793-excluded-directories-still-being-scanned-by-managed-mac-clients/

 

[Note: I see that you already replied to that thread. Glad to be of help! ]

 

Second, you might want to try disabling Web Access Protection and Email Client Protection, at least as a troubleshooting step. We were experiencing hard locks when connecting to wireless networks, random 1-2 minute system freezes w/beachballing, etc. Early testing with Web Access Protection and Email Client Protection both disabled shows a marked reduction in those symptoms. And previous bugs/fixes involving Web Access Protection sound suspiciously like what we're experiencing:

Often esets_daemon freezes OS X completely for about one minute before a number of other issues occur, such as esets_proxy no longer functioning, module errors, and more.

…and…

Fixed: esets_proxy deadlock causing the HTTP freeze.

…and…

Fixed: Problems loading websites when Web Access Protection is turned on.

Edited October 21, 2016 by grettir

[j-gray 26]

What version of ESET Endpoint are you running?

We were initially running 6.2.7.0 with agent 6.3.110.0.  I've moved a dozen or so to 6.3.85.0 with the latest agent, 6.4.232.0.

 

We've had to remove ESET from the rest.

[Peter Randziak 924]

Hello j-gray,

 

we would like to reproduce it internally here, but I'm not sure about the exact steps ;-(

 

you stated, that only real-time protection is enabled, right? It does not help, so it has to be that particular feature. Would it be possible for you to send me an exported configuration from such machine? Or even better with the info_get script output as described here?: hxxp://support.eset.com/kb3404/can you please run it right after the issue occurred?

 

Later in the steps you mentioned you pushed an agent and the Endpoint itself, so it means that the Endpoint was installed before in an non-managed environment?

 

It there an protection, which disabling resolves the issue, or you have to uninstall the endpoint completely?

 

Thank you, P.R.

[j-gray 26]

Hello j-gray,

 

we would like to reproduce it internally here, but I'm not sure about the exact steps ;-(

 

you stated, that only real-time protection is enabled, right? It does not help, so it has to be that particular feature. Would it be possible for you to send me an exported configuration from such machine? Or even better with the info_get script output as described here?: hxxp://support.eset.com/kb3404/can you please run it right after the issue occurred?

 

Later in the steps you mentioned you pushed an agent and the Endpoint itself, so it means that the Endpoint was installed before in an non-managed environment?

 

It there an protection, which disabling resolves the issue, or you have to uninstall the endpoint completely?

 

Thank you, P.R.

Yes, at this point, real-time protection is the only component enabled. Initially we had most components enabled (phishing, email and web) but in an effort to make the software function at all, we disabled those components. It's a little better, but still has major performance issues.

 

I tried to attach an exported config, but the file type is not permitted. I've also sent multiple logfiles to support from the info_get script. They should be attached to my support case.

 

Our process is generally as follows; install OS or push image, join to domain, install other software (MS-Office, Adobe, etc.), install agent manually using live installer. Once the system(s) appear in ERA, the AV is pushed out. Same policy is applied to all Macs using dynamic group (OS = OS X).  We do not apply the agent to images. It is always installed manually after imaging.

 

I will try disabling real-time protection to see if that makes a difference. We've generally just uninstalled it completely, leaving only the agent.

Edited October 24, 2016 by j-gray

[BeardedAnalyst 0]

We are having the same issue as @MarcoMaes