Solved

Sharepoint's performance with TrendMicro IPS & DeepSecurity

Posted on 2014-04-15
4
1,158 Views
Last Modified: 2014-04-20
I've heard of Symantec Endpoint Security have issues (performance
& sort of locking) with MS Sharepoint.

Q1:
Does TrendMicro's  IPS agent & TrendMicro's anti-virus software
have similar or known performance (& locking & impact to Sharepoint's
NTLM & Kerberos authentication) issues with MS Sharepoint?

Q2:
One site requests for Symantec Endpt Security to exclude Sharepoint
& MS HL7 from being scanned.  Is it generally acceptable to Security
Governance to exclude Sharepoint folders & its DB from IPS & malware
/AV scan?  Or can someone pinpoint specific files to exclude to improve
the performance?

Q3:
Can point me to URLs/links that document known TrendMicro IPS &
anti-malware/virus performance issue with Sharepoint & HL7?
0
Comment
Question by:sunhux
4 Comments
 
LVL 9

Assisted Solution

by:Mohit Nair
Mohit Nair earned 20 total points
Comment Utility
Q1:Does TrendMicro's  IPS agent & TrendMicro's anti-virus software
have similar or known performance (& locking & impact to Sharepoint's
NTLM & Kerberos authentication) issues with MS Sharepoint?
Ans : Nothing against symmantec, but yes trend micro antivirus doesnt consume much CPU as compared to symmantec when it comes to scanning or filtering. So the performance risk is less. No locking impact and its independent of the type of authentication used in SharePoint.

Q2:
One site requests for Symantec Endpt Security to exclude Sharepoint
& MS HL7 from being scanned.  Is it generally acceptable to Security
Governance to exclude Sharepoint folders & its DB from IPS & malware
/AV scan?  Or can someone pinpoint specific files to exclude to improve
the performance?
Ans: Rather than using symmantec end point security try Trend micro portal protect for SharePoint. Thats the product you need to avoid breaking security governance.

Q3:
Can point me to URLs/links that document known TrendMicro IPS &
anti-malware/virus performance issue with Sharepoint & HL7?
Ans: Not that I have come across but would suggest you to call trend micro customer support for this information when you buy the subscription. They will be happy to help.
0
 

Author Comment

by:sunhux
Comment Utility
Yes, I did call up TM cust support & the reply was there's no known
performance/locking impact.  However, TM advised if clustering
solutions with heartbeat is used, avoid certain TM's IPS signature.

Trying to get a 2nd opinion here in EE.

Other than Windows OS & Redhat OS clustering, an acquaintance
suggested that heartbeat could be used in applications clustering
too.

What are the apps that send heartbeat?  Oracle RAC?  Glassfish?
Weblogic?   Can anyone list out any other apps?
0
 
LVL 61

Accepted Solution

by:
btan earned 480 total points
Comment Utility
if it is sharepoint, I see TM more on leveraging portalprotect from the application front end and probably you can catch this whitepaper (pdf) on TM performance using this and best practice for performance tuning.  (they compared it with Forefront though not SEPM), Another simplified shorter version available here (pdf)

PortalProtect integrates tightly with Microsoft SharePoint. For PortalProtect to perform optimally, it is recommended that you follow and implement the recommendations from Microsoft’s Best Practice Analyzer Tool. Trend Micro worked closely with Microsoft to include the recommended settings for SharePoint in this tool. Make sure all the settings for both SharePoint and PortalProtect are implemented to allow both products to perform optimally
The following files and directories should be excluded from the file-based anti-virus scanner running in the SharePoint servers:
- Backup folder (Default folder: \PortalProtect\storage\backup)
- Temp folder (Default folder: \PortalProtect\Temp)
- SharedResPool folder (Default folder: \PortalProtect\SharedResPool)

There is also a generic scan exclusion list from TM

Microsoft Sharepoint Portal Server
<drive>: \ Program Files \ SharePoint Portal Server
<drive>: \ Program Files \ Common Files \ Microsoft Shared \ Web Storage System
<drive>: \ Windows \ Temp \ Frontpagetempdir
M:\
Microsoft SharePoint Servers Foundation 2010
Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions
Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files
Drive:\Users\ServiceAccount\AppData\Local\Temp
Drive:\Users\Default\AppData\Local\Temp
Drive:\Users\<the account that the search service is running as>\AppData\Local\Temp
Drive:\WINDOWS\system32\LogFiles
Drive:\Windows\Syswow64\LogFiles

Also Microsoft has advise on Certain folders may have to be excluded from antivirus scanning when you use file-level antivirus software in SharePoint

For TM using PortalProtect, its risk scan using Intelliscan has has option such as uses “true file type” identification and recommended to enable it as compared to the option such as "Specified file type" tat can be performance impact. We will want to catch those file ext change (e.g. exe to txt etc) that attempt to bypass scan based on that too and skip those that is not executable (also to reduce false positive and perform opt).

Likewise, we also want to take note that a manual scan in general will require significant server resources. Hence better to make sure we understand the settings and target databases. It is not very optimal to run manual scans outside of regular business hours unless absolutely necessary. And if incremental scans viable due to performance impact, we can leverage on that if product support e.g. TM configure incremental
scanning to scan only content since the last scheduled/manual scan occurred.

Always subscribe alert on performance alert for diskspace, service failure restart, quarantine file oversize, scanning delayed, failure in push signature to client as they are symptom for "failing server"
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now