Solved

Mandiant security software blocking workstation I/O?

Posted on 2013-02-03
12
417 Views
Last Modified: 2014-01-09
A client workstation is showing pathetic I/O performance (read and write).  The problem was observed copying a large number of small text files and backing up a large (5G) mySQL database (mySQLServer installed locally).  
The laptop is new, good hardware, Win7, 64bit, SSD drive.  Antivirus was disabled.  The only difference between the machine and other very similar laptops used to compare is:  the laptop is part of a corporate environment that requires Mandiant software.
Browsing their website, Mandiant looks like "military-style" security.  Their response is total denial.
Has anyone observed the same thing?
0
Comment
Question by:FKoutchouk
  • 6
  • 4
  • 2
12 Comments
 
LVL 13

Accepted Solution

by:
Alexios earned 300 total points
Comment Utility
Hello
I thing your are correct

Mandiant is the cause regardless if it is disable or not

I experience similar behavior with other "heavy" software firewalls
0
 
LVL 1

Author Comment

by:FKoutchouk
Comment Utility
Thank you kostasp -- were you able to demonstrate it -- perhaps screenshots of Task Manager or Performance Monitor?
0
 
LVL 13

Expert Comment

by:Alexios
Comment Utility
No, unfortunately not.
I did not kept proofs

Even disabled I noticed very strange behavior in compare to other systems in the same network.
The symptoms:
not accessing specific internet sites, not opening installed software which required internet connection, networks delays in file transfers without any other cause.

Finally I realized  that the firewall was responsible because I uninstalled it and everything went to normal
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
> Has anyone observed the same thing?
How can we tell? You don't say WHAT you observe. We need numbers and exact descriptions.
> Antivirus was disabled
Disabling AV software does not rule out it's the culprit. You would have to uninstall it and restart because disabling does not remove the filter drivers of the AV software.
0
 
LVL 1

Author Comment

by:FKoutchouk
Comment Utility
@McKnife:
How can we tell? You don't say WHAT you observe.
I did: The problem was observed copying a large number of small text files and backing up a large (5G) mySQL database (mySQLServer installed locally).  
Second test was copying 517,431 small files in 3,499 directories for a total of 1.57G.  
We need numbers and exact descriptions.
MySQL export: 3' for the MySQL export on reference machine, 60' on the Mandiant machine
Copy: 6' on the benchmark machine, we gave up after a few hours on the Mandiant-enabled machine.
Disabling AV software does not rule out it's the culprit. You would have to uninstall it and restart because disabling does not remove the filter drivers of the AV software.
True, but we've encountered antivirus performance issues before, from the same vendor, and disabling improved performance significantly.   The only difference between this site and others is the existence of Mandiant.

The attitude seems "It can't possibly be Mandiant, you must prove it is us" -- impossible to do without specific technical information.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
No, I don't want you to prove anything, just be more descriptive about the problem.
How are you copying, from ssd to network drive? Same for backup? What speeds did you measure, what means "pathetic" here in MB/s?
Why not uninstall AV for a start?
Why not uninstall Mandiant? Can't you save its settings (if those are stored locally)?
And: when did this start?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:FKoutchouk
Comment Utility
- Yes, copying entirely locally, from SSD to same SSD.   "Pathetic" is my qualifier when something that takes 3' on one machine takes 60' on another.  Or generally speaking anything that takes 10 times longer.
- AV was uninstalled.
- There is no option to uninstall Mandiant -- many processes on the machine are undocumented.  It looks like the Mandiant sofware must be uninstalled from a central location.
- It is a brand new machine, with the required "corporate" image installed on it.   We first saw a problem on the regular hard drive.  Then swapped for an SSD (the thought occurred that perhaps the drive was bad).
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Ok, about my last question: was there no action/installation you can tie to the start of that slowness? If not, I would give it a last try:
-exchange the sata cable (unlikely though)
-update the sata controller's driver
If no better then, ask central administration for help. Maybe they will be able to reinstall mandiant for a test. If that does not help as well, you would have to reinstall or dive into monitoring softwares like procmon to see what the disk is doing being so slow.
0
 
LVL 1

Author Comment

by:FKoutchouk
Comment Utility
@McKnife -- brand new machine, brand new "corporate" image, so nothing was added or changed to induce slowness.
SATA controller / driver: good point.  We ran ATTO Disk Benchmark (http://www.attotech.com).  Strangely, the performance reported is not so bad for the drives/laptop -- we tested before and after swapping to an SSD.  So we discarded hardware issues.
Here lies perhaps a hint: whatever ATTO Benchmark does seems to be staying under the radar of Mandiant.  But I can't figure out what the difference is between their I/O simulation and, say, mySQL backup or file copies (direct access, no files involved?)

As for getting help from Central Administration, no luck here.  They passed it on to Mandiant Tech Support.  Their response (indirect, they won't talk to us lowly civilians), no way, no-how, prove it that it is us.

Which brings me back to this thread...
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
If a brand new machine is slow as hell for whatever reason, it has to be returned. The end user does not need to bother, return it.
Generally speaking: if the suspected problem (mandiant) cannot be removed, troubleshooting comes to a halt. You could do the monitoring, but that is an expert task and it's not really easy to support you with that on a forum.
0
 
LVL 1

Author Comment

by:FKoutchouk
Comment Utility
@McKnife:  the machine is fine for "mundane" tasks, like email, Word and accessing corporate IT sites.  It is useless for anything involving serious local file-based I/O.  

The point of this question was to see if other users have experienced similar issues with Mandiant and managed to find a solution short of removing it completely.  Or perhaps got through Mandiant tech support.

Thank you for your help.  Let's keep this open a little longer... just in case someone with Mandiant expertise (or from Mandiant, who knows, perhaps they want to help improve their own software...) shows up.
0
 
LVL 1

Author Closing Comment

by:FKoutchouk
Comment Utility
No specifics were found on Mandiant performance impact.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
OfficeMate Freezes on login or does not load after login credentials are input.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now