This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Poor performance with Office files on SMB shares caused by Safeguard File Encryption

Hi,

This is a follow-up of this case:

https://community.sophos.com/sophos-xg-firewall/f/discussions/125718/ssl-vpn-poor-performance-with-office-files-on-smb-shares-probably-because-of-mtu-issues

We have the issue that MS Office Files (Office 2016 Standard) open extremely slow when connected via SSL VPN (through Sophos XG Firewall).

100KB .xlsx
134 Sec

8KB blank .xlsx 
29 Sec

12KB blank .docx
25 Sec

31KB blank .pptx
45 Sec

Finally after lots of testing hours wasted, we've ruled the issue out. It is caused by Safeguard File Encryption.

This is happening on many of our corporate Windows 10 machines. Latest testings were with Win10 1809 and 20H2.

Before Safeguard is installed or after it has been uninstalled, the performance of the Office files is very good. The small files open in 3-6 Seconds, and the 100KB test file in 7-9 Seconds (over VPN WAN).

Safeguard is used for working with encrypted files on the file server share. There are some folders with encrypted files and most folders contain unencyrpted files. The performance is bad regardless of opening encrypted or unencrypted files.

Also there is the latest version of Sophos Intercept-X Client installed but the issue is also happening if the client is removed from the client and the server hosting the SMB share. So we do not neet to struggle any further with AV exclusions or whatever.

I'm asking for suggestions about the cause and how to fix this.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    If you have File encryption going through a vpn to a remote location - there will be a performance hit.  

    The way FE works is that its a filter. It will check every file access attempt. If the file is encrypted (it has the FE headers) the filter will then either decrypt for a read action or encrypt for a write action. The filter is always there, since it has to check every access even to unencrypted files because it doesn't know, before hand, which files are encrypted or not. 

    Now that you have a VPN (which means other networking in between the client and the target file) you will have a multiplicative effect on the action times. 

    Now, how can it be optimized? 

    I would need more information about the network structure and the VPN solution used to give any sort of advice. 

    However, the performance is never going to be exceptional - since FE is a per file bulk encryption action it does increase the size of the files involved. 

  • Hi,

    the performance impact is only for MS Office files. All other files and programms open in a acceptable and reasonable time.

    Do you have some technical details on the issues you are talking about?

    What I can see is that in a tcp dump while openig a MS office file, it looks like the client computer is requesting the same SMB information again and again.

    Btw: This is regardless of the server - it is completely caused by the client. We've tested this on different file servers, different Server OS and with or without Fileencryption installed.

    And about our VPN setup - that's a normal XG SSL VPN I would say. The Fileserver's network is included in the VPN config but that network is not routed by the XG - this is internally routed by a core switch.

    To see what we are talking about here:

    File

    Time to open with

    Sophos Safeguard FE installed

    Time to open without

    Sophos Safeguard FE installed

    100KB .xlsx

    134 Sec 7-8 Sec
    8KB blank .xlsx 29 Sec 5 Sec
    12KB blank .docx 25 Sec 4-6 Sec
    31KB blank .pptx 45 Sec 6 Sec
  • FormerMember
    0 FormerMember in reply to LHerzog

    The docx and xlsx formats are actually bundles of files all contained inside the docx. It looks like it is requesting the individual sub-elements for the encryption. 

    Let me look into this and I will get back to you.

  • FormerMember
    0 FormerMember in reply to FormerMember

    I have been talking with development about this and they confirmed that the FE filter doesn't treat docx formats differently than any other file type. 

    also, they suggested that you implement Mitigation #3 in this article: https://support.sophos.com/support/s/article/KB-000038386?language=en_US

    This should help.

    They also suggested Mitigation #1 just in general.

    I hope that helps.

  • Thanks! Wasn't aware of that KB. Nice to see that it got recent updates. Will check it out and keep this thread updated.

Reply Children
  • I think, the reason for our issue is:

    DPSGN-14995 High performance impact when accessing files not covered by an encryption rule (requires BypassFilesWithoutPolicyVolumes registry key)

    first tests show moderate performance boost by applying #3 only:

    Mitigation#3: If Microsoft Office files like docx, evtx, pptx, are opening slowly when located on a network share,  add Explorer.exe to the SpecialNetworkShareWriteApps registry key.

    a high performance boost has been seen by applying #1 only:

    Mitigation#1: Bypass Network locations that don´t have an encryption rule (requires SafeGuard version 8.20 or at least File Encryption Engine build 24). BypassFilesWithoutPolicyVolumes.reg.txt

    will post some results here later.

  • Here some results

    file

    BypassFilesWithout

    PolicyVolumes

    ExplorerSpecialNetwork

    SharedWriteHandling

    time
    100KB .xlsx enabled 11 Sec
    100KB .xlsx enabled 15,5 Sec
    100KB .xlsx enabled enabled 9,5 Sec
    8KB blank .xlsx enabled 4 Sec
    8KB blank .xlsx enabled 12 Sec
    8KB blank .xlsx enabled enabled 4 Sec
    12KB blank .docx enabled 4,5 Sec
    12KB blank .docx enabled 12 Sec
    12KB blank .docx enabled enabled 4 Sec
    31KB blank .pptx enabled 4,5 Sec
    31KB blank .pptx enabled 13 Sec
    31KB blank .pptx enabled enabled 5,5 Sec

  • so now with those settings enabled from my reading the disadvantage is, that there may be issues with file handling - I guess open file detection is not working properly this way so there is a risk of onening the same file by multiple people simultaneously. Correct me if I'm wrong.

  • FormerMember
    0 FormerMember in reply to LHerzog

    Basically there isn't a lock & wait for the encryption filter. So, yes, there can be handling issues for writes. As far as I am aware, reads should be okay...