LukaszDziwisz
Enthusiast
Enthusiast

DEM slow import/export with Carbon Black Protection

Hello Everyone,

I hope this is allowed. I realize that this is not really DEM issue but would like to see if there is anybody here in this forum that is using Instant Clones, DEM and has Carbon Black Protection installed on your clones.

What we are seeing here is that with CBP installed our logon times are roughly 60 seconds which includes writable and 1 appstack but with the CBP installed but put in Disabled mode my logons are around 30 seconds. I was able to track it down to DEM where imports are taking way longer with CBP enabled than without it installed or being disabled.

I have a case opened with CBP support but so far there is no progress. We have added kernell exlusions for Flexengine and built couple of optimization rules for Flex profiles but none of that seemed to help.

I'm hoping that since Carbon Black is now part of VMware that they will be able to figure it out sooner or later but figured that I might give it a shot here as well.

BTW we are currently on DEM 9.7 if that matters

Thanks in advance

16 Replies
DEMdev
VMware Employee
VMware Employee

Hi LukaszDziwisz,

I've seen DEM's registry import (i.e. DEM launching RegEdit.exe to import a .REG file) go from a few milliseconds to 10 seconds (plus a few milliseconds) with Carbon Black in the mix. Does that match the behavior you're seeing?

Excluding FLX*.TMP files from CB scanning allegedly resolves that, but I haven't had the opportunity to test that yet.

0 Kudos
LukaszDziwisz
Enthusiast
Enthusiast

hi DEMdev​,

That is exactly what I'm seeing. Those imports take upwards of 12 seconds even small ones. I'm aware of those exclusions on CB defense but cannot figure it out for CB Protection. CB Protection is a whitelisting application and not AV, exclusions don't really work that way here. We have added Kernel Process exclusions for Flexengine which should ignore anything that Flexengine is doing and also created optimization rules for Flexengine and still it takes that long. We will be deploying CB Defence on top of CB Protection later this year so that is good to know for exclusions but still wanted to resolve the CB Protection piece before we move on.

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi LukaszDziwisz,

Just goes to show how little I know about Carbon Black... Can you send the case number in a private message? Maybe I can (find someone to) help figure out what's going on between the two products.

0 Kudos
LukaszDziwisz
Enthusiast
Enthusiast

Hello DEMdev​,

I sent you a PM with the case number. I appreciate your assistance with it

vinfunk15
Contributor
Contributor

We've been struggling with the same issue over the past few months.  We've had Carbon Black tickets open and tried various KernelFile and and KernelProcess exclusions with very minimal improvement.  Would be interested to know if you have any luck finding anything that helps improve the performance.

0 Kudos
LukaszDziwisz
Enthusiast
Enthusiast

Hello there,

Thank you for your input, it's great that there is someone else with the same issue as we are facing now. Too bad that it's still not resolved but hopefully they can finally figure it out. Did you have any specific exlusions/rules put in place that helped the most?

Do you still have your ticket opened? I wonder if we should exchange our ticket numbers and pass it onto our CB engineers so that they could talk?

0 Kudos
LukaszDziwisz
Enthusiast
Enthusiast

DEMdev

So one thing that support wants to try is to run FlexEngine as a login script vs GPO extension and then we do an optimization rule for it.

Do you see any  issues with this approach?

Also if I wanted to try it would I just configure a logon script similar to my logoff script just with no "-s" parameter and then just simply disable running it as GPO extension?

0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi LukaszDziwisz,

That would be fine as an experiment, but is less than ideal in production. Running FlexEngine as a logon script is now mainly a legacy feature, apart from the -OfflineImport use case for physical scenarios. A logon script is "too late" to apply certain Windows configuration (like MUI personalization), and does not get any substantial coverage in our official test scenarios anymore.

To run FlexEngine.exe as a logon script:

  • Configure the Run FlexEngine as Group Policy Extension policy setting as Disabled or Not Configured.
  • Configure the Windows Run logon scripts synchronously policy setting (System | Scripts) as Enabled.
  • Add a logon script similar to your current logoff script, but with script parameter -r instead of -s.
0 Kudos
LukaszDziwisz
Enthusiast
Enthusiast

DEMdev

I agree I would not like to go that route either. For testing purposes I might give it a shot and see the difference but I would rather have CB support look into it deeper and come up with either an exclusion or optimization rule for that.

I'll keep you posted on our progress

antonpaloka
Contributor
Contributor

I'd like to join this thread and offer any expertise, as I've spent over a year wondering where our issues stem from.

 

CBD - On it's own, logon times are ideal, under 60s. This has other issues beside just logons.

 

CBP - This will send our logon times through the roof, 120s+. I have tried various exceptions, marking flexengine.exe as an installer. I'm testing now with script rules but ultimately am leaning to remove the product and offload some of the items to other products.

0 Kudos
LukaszDziwisz
Enthusiast
Enthusiast

Our original deployment of CBP jumped our logon times by about 45 seconds. We were able to shave 15-20 seconds by implementing a Kernel File level exclusions in Agent Config

*.tmp:2094975

As for CB Cloud (Defense) , it appears that you are in similar time range which I still think that on it's own it' overkill and definitely affecting DEM 

We were roughly in ballpark of 60 seconds (average user 1 appstack and 1 writable) with CBP for quite some time and everyone just accepted it. Then we finally worked out the solution above and shaved 15-20 seconds and got happy about this until CB Cloud (Defense) is added to the mix.

I understand that security products will put some overhead to everything but this is just overkill and cannot justify 2 minute logon times.

 

 

0 Kudos
antonpaloka
Contributor
Contributor

Curious what your exclusions on CBD look like? Are you on version 3.6.x?

0 Kudos
LukaszDziwisz
Enthusiast
Enthusiast

3.6.1941 is the version of agent for CB Defense(Cloud)

8.1.10.88 is for CBP 

I have followed this article to the dot and added all exclusions listed in there for both endpoints and servers side. I added all exclusions to "Performs any Operation" bypass.  Plus added exclusions for FLX files: FLX*.tmp in there as well

https://techzone.vmware.com/resource/antivirus-considerations-vmware-horizon-environment

 

 

0 Kudos
antonpaloka
Contributor
Contributor

Same, I wonder if the two products are causing conflict with one another, as they do check every file and there is obviously slight delays. I had the opposite experience as you, CBD alone I was under 60s, adding CBP doubled it.

I initially worked with CBD and some high level VMware EUC/Security staff and applied the exceptions that are currently in the documentation. I would love to get anywhere close to even 90s which would help with users logging out.

May I ask some info on your kernel exclusion? Where do you add this?

0 Kudos
LukaszDziwisz
Enthusiast
Enthusiast

Technically for kernel exclusions you shouldn't be doing them without support. Just saying but gonna leave it up to you.

As for exclusions, it is not as straight forward as other AV products but you should be able to go to a Agent Config page on your CBP server. you can go there with the following URL https://CBProtectServerName/agent_config.php. You should be seeing some exclusions already added and created. In your case you would click on Add config and then name it and add the exclusions like that:

kernelFileOpExclusions=*.tmp:2094975

Then enable it and select policies that it should apply to

0 Kudos
antonpaloka
Contributor
Contributor

Support told me kernel exclusions should be done by me or professional services. 😁 So maybe they've changed their stance on it. I'm going to try and get some PS hours if I can't proceed with confidence on my own.

0 Kudos