Programmes start very slowly

Hi,
we have a problem with the current intercept x client version.
The start of programmes has become very noticeably slower.
Are there any settings in the intercept x so that the programmes start as quickly as usual?



Supplement
[edited by: NSM Administrator at 9:37 AM (GMT -7) on 30 Jul 2021]
  • It really depends which feature is causing it.

    Are these programs local or run from a network drive?

    I would suggest on a test computer, configure a test Threat Protection policy and disable all the options.  Wait for the client to pickup the policy, should be about 1 minute maximum.  Then re-test.  Hopefully this returns the speed.  You can then work through adding the options back on,

    Hope it helps.

  • Hi,

    thanks for your quick support.

    It mainly concerns programmes that are executed via the network.
    z. e.g. ERP, Office etc.

  • I assume you're not running Office executables from the share, you're referring to opening documents that are stored on a file server.  The client accesses them via \\server\share\file.docx for example or maybe X:\file.docx if they are using a mapped drive?

    As a test, in the threat protection policy, does it help to un-check "Remote files" as a test:

    At the client, when it gets policy (should be under 1 minute) it will set:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config

    OnAccessExcludeRemoteFiles = 1

    ---

    If it is EXE files run from a remote location this would also help but "Enable Threat Case creation" in the same policy may also be worth disabling as a test.

    At the client, disabling it, will set:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\RCA

    Enable = 0

    Also is 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\EDR
    Enable set to 1, this denotes EDR is enabled?

  • Hi,
    I have deactivated the switch for remote files and have already noticed a noticeable improvement.
    If the OnAccessExcludeRemoteFiles value is set to 1, what does this mean?
    Does this make the policy apply faster on the client?

  • I would like to add one more thing,
    Excel or Word with add-ins also start very slowly.

  • Checking the registry value at the client for OnAccessExcludeRemoteFiles  being set to 1 just means the policy from Central to disable "remote files" has arrived at the client.  if you were to re-enable it in policy it would go back to 0.

  • I assume they are local files?

    I wonder if that's more likely to be the exploit mitigation feature? 

    As a test to prove/disprove this, with Tamper Protection first disabled at the endpoint: If you close Excel and Word.

    Then rename:
    C:\windows\system32\hmaplert.dll to C:\windows\system32\hmaplert.dll.disabled
    If you are using 64-bit Office.

    Or
    C:\windows\syswow64\hmaplert.dll to C:\windows\syswow64\hmaplert.dll.disabled

    If you are using 32-bit Office.

    If you're not sure renaming both is fine.

    Then launch Excel/Word, do the plugins start faster?  In this state the new processes launched will not get the hmaplert.dll loaded and would rule in/out exploit mitigation.

    Don't forget to rename the files back, this is just a test.

  • I have deactivated the tamper protection and renamed the hmaplert.dll.
    The Excel sheet opened very quickly, after the test I undid everything and the start-up behaviour was the same as before the test.

  • OK, so Exploit Prevention is related to the slow loading due to addons. 

    In the linked threat protection policy and with the DLLs back in place - does it help to disable the "Protect office applications" setting:

    It seems the most likely setting.

    The other option, working at a per process/application basis is to try an exclusion setting, e.g. You can disable certain mitigations just for the process.

    I think it's really a case of narrowing down the setting causing it before maybe turning to Support with the info for more indepth troubleshooting but it should be possible to make a small change to at least get it to work even if protection is minimised for the short term just for the process in question.

  • I will test these settings.
    If I deactivate these Protect office applications,
    I lose more protection?