?
Solved

Mandiant security software blocking workstation I/O?

Posted on 2013-02-03
12
Medium Priority
?
429 Views
Last Modified: 2014-01-09
A client workstation is showing pathetic I/O performance (read and write).  The problem was observed copying a large number of small text files and backing up a large (5G) mySQL database (mySQLServer installed locally).  
The laptop is new, good hardware, Win7, 64bit, SSD drive.  Antivirus was disabled.  The only difference between the machine and other very similar laptops used to compare is:  the laptop is part of a corporate environment that requires Mandiant software.
Browsing their website, Mandiant looks like "military-style" security.  Their response is total denial.
Has anyone observed the same thing?
0
Comment
Question by:Francois Koutchouk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
12 Comments
 
LVL 13

Accepted Solution

by:
Alexios earned 600 total points
ID: 38850332
Hello
I thing your are correct

Mandiant is the cause regardless if it is disable or not

I experience similar behavior with other "heavy" software firewalls
0
 
LVL 2

Author Comment

by:Francois Koutchouk
ID: 38851225
Thank you kostasp -- were you able to demonstrate it -- perhaps screenshots of Task Manager or Performance Monitor?
0
 
LVL 13

Expert Comment

by:Alexios
ID: 38851291
No, unfortunately not.
I did not kept proofs

Even disabled I noticed very strange behavior in compare to other systems in the same network.
The symptoms:
not accessing specific internet sites, not opening installed software which required internet connection, networks delays in file transfers without any other cause.

Finally I realized  that the firewall was responsible because I uninstalled it and everything went to normal
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 56

Expert Comment

by:McKnife
ID: 38853063
> Has anyone observed the same thing?
How can we tell? You don't say WHAT you observe. We need numbers and exact descriptions.
> Antivirus was disabled
Disabling AV software does not rule out it's the culprit. You would have to uninstall it and restart because disabling does not remove the filter drivers of the AV software.
0
 
LVL 2

Author Comment

by:Francois Koutchouk
ID: 38853447
@McKnife:
How can we tell? You don't say WHAT you observe.
I did: The problem was observed copying a large number of small text files and backing up a large (5G) mySQL database (mySQLServer installed locally).  
Second test was copying 517,431 small files in 3,499 directories for a total of 1.57G.  
We need numbers and exact descriptions.
MySQL export: 3' for the MySQL export on reference machine, 60' on the Mandiant machine
Copy: 6' on the benchmark machine, we gave up after a few hours on the Mandiant-enabled machine.
Disabling AV software does not rule out it's the culprit. You would have to uninstall it and restart because disabling does not remove the filter drivers of the AV software.
True, but we've encountered antivirus performance issues before, from the same vendor, and disabling improved performance significantly.   The only difference between this site and others is the existence of Mandiant.

The attitude seems "It can't possibly be Mandiant, you must prove it is us" -- impossible to do without specific technical information.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 38854120
No, I don't want you to prove anything, just be more descriptive about the problem.
How are you copying, from ssd to network drive? Same for backup? What speeds did you measure, what means "pathetic" here in MB/s?
Why not uninstall AV for a start?
Why not uninstall Mandiant? Can't you save its settings (if those are stored locally)?
And: when did this start?
0
 
LVL 2

Author Comment

by:Francois Koutchouk
ID: 38856174
- Yes, copying entirely locally, from SSD to same SSD.   "Pathetic" is my qualifier when something that takes 3' on one machine takes 60' on another.  Or generally speaking anything that takes 10 times longer.
- AV was uninstalled.
- There is no option to uninstall Mandiant -- many processes on the machine are undocumented.  It looks like the Mandiant sofware must be uninstalled from a central location.
- It is a brand new machine, with the required "corporate" image installed on it.   We first saw a problem on the regular hard drive.  Then swapped for an SSD (the thought occurred that perhaps the drive was bad).
0
 
LVL 56

Expert Comment

by:McKnife
ID: 38858299
Ok, about my last question: was there no action/installation you can tie to the start of that slowness? If not, I would give it a last try:
-exchange the sata cable (unlikely though)
-update the sata controller's driver
If no better then, ask central administration for help. Maybe they will be able to reinstall mandiant for a test. If that does not help as well, you would have to reinstall or dive into monitoring softwares like procmon to see what the disk is doing being so slow.
0
 
LVL 2

Author Comment

by:Francois Koutchouk
ID: 38858351
@McKnife -- brand new machine, brand new "corporate" image, so nothing was added or changed to induce slowness.
SATA controller / driver: good point.  We ran ATTO Disk Benchmark (http://www.attotech.com).  Strangely, the performance reported is not so bad for the drives/laptop -- we tested before and after swapping to an SSD.  So we discarded hardware issues.
Here lies perhaps a hint: whatever ATTO Benchmark does seems to be staying under the radar of Mandiant.  But I can't figure out what the difference is between their I/O simulation and, say, mySQL backup or file copies (direct access, no files involved?)

As for getting help from Central Administration, no luck here.  They passed it on to Mandiant Tech Support.  Their response (indirect, they won't talk to us lowly civilians), no way, no-how, prove it that it is us.

Which brings me back to this thread...
0
 
LVL 56

Expert Comment

by:McKnife
ID: 38858516
If a brand new machine is slow as hell for whatever reason, it has to be returned. The end user does not need to bother, return it.
Generally speaking: if the suspected problem (mandiant) cannot be removed, troubleshooting comes to a halt. You could do the monitoring, but that is an expert task and it's not really easy to support you with that on a forum.
0
 
LVL 2

Author Comment

by:Francois Koutchouk
ID: 38860722
@McKnife:  the machine is fine for "mundane" tasks, like email, Word and accessing corporate IT sites.  It is useless for anything involving serious local file-based I/O.  

The point of this question was to see if other users have experienced similar issues with Mandiant and managed to find a solution short of removing it completely.  Or perhaps got through Mandiant tech support.

Thank you for your help.  Let's keep this open a little longer... just in case someone with Mandiant expertise (or from Mandiant, who knows, perhaps they want to help improve their own software...) shows up.
0
 
LVL 2

Author Closing Comment

by:Francois Koutchouk
ID: 39767830
No specifics were found on Mandiant performance impact.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
A look at what happened in the Verizon cloud breach.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month12 days, 22 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question