Highlighted
Enthusiast
Enthusiast

DEM slow import/export with Carbon Black Protection

Hello Everyone,

I hope this is allowed. I realize that this is not really DEM issue but would like to see if there is anybody here in this forum that is using Instant Clones, DEM and has Carbon Black Protection installed on your clones.

What we are seeing here is that with CBP installed our logon times are roughly 60 seconds which includes writable and 1 appstack but with the CBP installed but put in Disabled mode my logons are around 30 seconds. I was able to track it down to DEM where imports are taking way longer with CBP enabled than without it installed or being disabled.

I have a case opened with CBP support but so far there is no progress. We have added kernell exlusions for Flexengine and built couple of optimization rules for Flex profiles but none of that seemed to help.

I'm hoping that since Carbon Black is now part of VMware that they will be able to figure it out sooner or later but figured that I might give it a shot here as well.

BTW we are currently on DEM 9.7 if that matters

Thanks in advance

9 Replies
Highlighted
VMware Employee
VMware Employee

Hi LukaszDziwisz,

I've seen DEM's registry import (i.e. DEM launching RegEdit.exe to import a .REG file) go from a few milliseconds to 10 seconds (plus a few milliseconds) with Carbon Black in the mix. Does that match the behavior you're seeing?

Excluding FLX*.TMP files from CB scanning allegedly resolves that, but I haven't had the opportunity to test that yet.

0 Kudos
Highlighted
Enthusiast
Enthusiast

hi DEMdev​,

That is exactly what I'm seeing. Those imports take upwards of 12 seconds even small ones. I'm aware of those exclusions on CB defense but cannot figure it out for CB Protection. CB Protection is a whitelisting application and not AV, exclusions don't really work that way here. We have added Kernel Process exclusions for Flexengine which should ignore anything that Flexengine is doing and also created optimization rules for Flexengine and still it takes that long. We will be deploying CB Defence on top of CB Protection later this year so that is good to know for exclusions but still wanted to resolve the CB Protection piece before we move on.

0 Kudos
Highlighted
VMware Employee
VMware Employee

Hi LukaszDziwisz,

Just goes to show how little I know about Carbon Black... Can you send the case number in a private message? Maybe I can (find someone to) help figure out what's going on between the two products.

0 Kudos
Highlighted
Enthusiast
Enthusiast

Hello DEMdev​,

I sent you a PM with the case number. I appreciate your assistance with it

Highlighted
Contributor
Contributor

We've been struggling with the same issue over the past few months.  We've had Carbon Black tickets open and tried various KernelFile and and KernelProcess exclusions with very minimal improvement.  Would be interested to know if you have any luck finding anything that helps improve the performance.

0 Kudos
Highlighted
Enthusiast
Enthusiast

Hello there,

Thank you for your input, it's great that there is someone else with the same issue as we are facing now. Too bad that it's still not resolved but hopefully they can finally figure it out. Did you have any specific exlusions/rules put in place that helped the most?

Do you still have your ticket opened? I wonder if we should exchange our ticket numbers and pass it onto our CB engineers so that they could talk?

0 Kudos
Highlighted
Enthusiast
Enthusiast

DEMdev

So one thing that support wants to try is to run FlexEngine as a login script vs GPO extension and then we do an optimization rule for it.

Do you see any  issues with this approach?

Also if I wanted to try it would I just configure a logon script similar to my logoff script just with no "-s" parameter and then just simply disable running it as GPO extension?

0 Kudos
Highlighted
VMware Employee
VMware Employee

Hi LukaszDziwisz,

That would be fine as an experiment, but is less than ideal in production. Running FlexEngine as a logon script is now mainly a legacy feature, apart from the -OfflineImport use case for physical scenarios. A logon script is "too late" to apply certain Windows configuration (like MUI personalization), and does not get any substantial coverage in our official test scenarios anymore.

To run FlexEngine.exe as a logon script:

  • Configure the Run FlexEngine as Group Policy Extension policy setting as Disabled or Not Configured.
  • Configure the Windows Run logon scripts synchronously policy setting (System | Scripts) as Enabled.
  • Add a logon script similar to your current logoff script, but with script parameter -r instead of -s.
0 Kudos
Highlighted
Enthusiast
Enthusiast

DEMdev

I agree I would not like to go that route either. For testing purposes I might give it a shot and see the difference but I would rather have CB support look into it deeper and come up with either an exclusion or optimization rule for that.

I'll keep you posted on our progress