epa80
Hot Shot
Hot Shot

Instant Clones and Deep Security - Higher CPU on DSVAs Causing Lag?

Jump to solution

We recently deployed a Windows 10 Instant Clone pilot pool to our users, and we've gotten a mixed bag of feedback. One specific thing we've heard is that the VMs seem slower. We kind of chalked it up to the switch from Windows 7 to Windows 10 just feeling slower because of the nature of the OSes, but, I'm wondering about another thing.

We utilize Deep Security agentless protection from Trend Micro as our anti-malware suite. One thing I found, is on clusters that are the Win 10/Instant Clone deployment, the Deep Security Virtual Appliance CPUs seem to be working considerably harder. I wouldn't say they're getting KILLED, but, they definitely are working harder.

Appliance on a Windows 10 Instant Clone Deployment:

win10ic.png

Appliance on a Windows 10 Linked Clone Deployment:

win10lc.png

The appliances are sized identically. The instant clone DSVA lives on a Dell PowerEdge r740xd vSan Ready Node. The linked clone DSVA lives on an identical r740xd vSan ready node. The LC Win 10 is version 1709 whereas the IC in 1809.

The anti-malware policy assigned to both pools served up is identical. It's essentially our custom Win 10 policy with exclusions we need for specific apps, as well as best practice exclusions included from here: Antivirus Considerations in a VMware Horizon Environment | VMware

Hoping someone knows of some strange Instant Clone outlier that isn't listed somewhere, because I'm kind of stumped.

Thanks in advance.

1 Solution

Accepted Solutions
epa80
Hot Shot
Hot Shot

Turns out our issue was actually an exception for an app we were unaware of. After digging in the logs with Trend Micro, we were seeing a log file getting scanned constantly. Put in an exception, and, well, you can see the difference.

dsva.png

View solution in original post

11 Replies
Lalegre
Virtuoso
Virtuoso

Hey epa80​,

When you say DSVA Instant Clone or Linked Clone you mean that the DSVAs are being deployed in different clusters to do the agenless protections to different type of VMs right (Instant Clones and Linked Clones). I assume like yes here.

It is weird actually but maybe something you can check is the next: https://success.trendmicro.com/solution/1115746-configuring-the-deep-security-virtual-appliance-dsva...

0 Kudos
epa80
Hot Shot
Hot Shot

Hi Lalegre​, thanks for the reply.

The DSVAs (Virtual appliances) are exclusive to their specific Horizon pool deployment, yeah. We actually have our pools separated by clusters. So in a nutshell:

VDI Cluster 1 has 6 hosts, and 1 pool is deployed there of all Windows 10 Linked Clones. The cluster has its own unique deployment of Guest Introspection and Deep Security appliances from NSX. They only know about this cluster/pool.

VDI Cluster 2 has 6 hosts, and 1 pool is deployed there of all Windows 10 Instant Clones. The cluster has its own unique deployment of Guest Introspection and Deep Security appliances from NSX. They only know about this cluster/pool.

I'll take a look at that KB you linked to. I also have a ticket open with Trend Micro. I was keeping my fingers crossed that someone here ha familiarity with this, and was maybe aware of some exclusion Instant Clones need that doesn't seem to be detailed anywhere. Long shot I know. Smiley Happy

epa80
Hot Shot
Hot Shot

I corrected this subject after the fact. I meant to say, as the body dictates, it's Deep Security Virtual Appliances that see a higher CPU workload when deployed to protect INSTANT CLONES on Windows 10 1809, than Linked Clones on Windows 10 1709.

Trend Micro reviewing logs. Looking to see if it's Instant Clone technology causing it, or 1709 vs. 1809.

0 Kudos
Lalegre
Virtuoso
Virtuoso

To be honest I never faced this issue but most propably the issue is related with the version of the Windows and the optimizations done to it as the Instant Clone or Linked Clone just have difference on how are they build but the OS is where the DSVA scans.

Have you done any customization and optimization to these Windows before creating the pools?

0 Kudos
epa80
Hot Shot
Hot Shot

Yeah we used an OSOT template we built with professional services. I can run it by him to see if he thinks the OSOT could have caused anything. I'm on the same page though with what I think you're saying. I think it's more like something on 1809, not so much Linked vs. Instant.

epa80
Hot Shot
Hot Shot

Just as a shot in the dark I tried upgrading 1 DSVA on 1 ESXi host to the latest version. There was nothing in the release notes that mentions a fix, but, I figured why not. I had an empty pool. However, it didn't make any difference at all. Ah well still waiting for Trend to reply.

0 Kudos
Lalegre
Virtuoso
Virtuoso

As you are working with Trend i assume that they already checked the compaitibility matrix for agentless protection: Compatibility with Windows 10 - Deep Security

Also do you have same version of VMware Tools in both templates and are they updated? If the IC one is not updated try to update it.

Which version of Horizon are you currently running, please check to have the Horizon Agent fully supported here: VMware Knowledge Base

epa80
Hot Shot
Hot Shot

Yeah just double checked there, in our Instant Clone 1809 pool we're using VMware tools 11.0.1, build 14773994. For Linked clone Windows 10 1709, we have the identical version.

0 Kudos
epa80
Hot Shot
Hot Shot

Just to knock out the possibility it was an issue, I upgraded VMware tools to the latest (11.1.5). I was hopeful this would do something, as I know we had success with this install for fixing an issue we had seen with OneDrive. Unfortunately, the high CPU usage on the Deep Security Appliances just returned.

0 Kudos
epa80
Hot Shot
Hot Shot

Turns out our issue was actually an exception for an app we were unaware of. After digging in the logs with Trend Micro, we were seeing a log file getting scanned constantly. Put in an exception, and, well, you can see the difference.

dsva.png

epa80
Hot Shot
Hot Shot

I marked the post about the exception as the right answer.

As a side note: we still see a bit of a performance hit on Win 10 1809 vs. 1709, so, unrelated to this but man, I'd love for someone to mention if there's something with 1809 in and of itself to make an exception for. Annoying.

Thanks for the feedback.

0 Kudos