Programmes start very slowly

It really depends which feature is causing it.

Are these programs local or run from a network drive?

I would suggest on a test computer, configure a test Threat Protection policy and disable all the options.  Wait for the client to pickup the policy, should be about 1 minute maximum.  Then re-test.  Hopefully this returns the speed.  You can then work through adding the options back on,

Hope it helps.

Hi,

thanks for your quick support.

It mainly concerns programmes that are executed via the network.
z. e.g. ERP, Office etc.

I assume you're not running Office executables from the share, you're referring to opening documents that are stored on a file server.  The client accesses them via \\server\share\file.docx for example or maybe X:\file.docx if they are using a mapped drive?

As a test, in the threat protection policy, does it help to un-check "Remote files" as a test:

At the client, when it gets policy (should be under 1 minute) it will set:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config

OnAccessExcludeRemoteFiles = 1

---

If it is EXE files run from a remote location this would also help but "Enable Threat Case creation" in the same policy may also be worth disabling as a test.

At the client, disabling it, will set:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\RCA

Enable = 0

Also is 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\EDR
Enable set to 1, this denotes EDR is enabled?

Hi,
I have deactivated the switch for remote files and have already noticed a noticeable improvement.
If the OnAccessExcludeRemoteFiles value is set to 1, what does this mean?
Does this make the policy apply faster on the client?

I would like to add one more thing,
Excel or Word with add-ins also start very slowly.

Checking the registry value at the client for OnAccessExcludeRemoteFiles  being set to 1 just means the policy from Central to disable "remote files" has arrived at the client.  if you were to re-enable it in policy it would go back to 0.

I assume they are local files?

I wonder if that's more likely to be the exploit mitigation feature? 

As a test to prove/disprove this, with Tamper Protection first disabled at the endpoint: If you close Excel and Word.

Then rename:
C:\windows\system32\hmaplert.dll to C:\windows\system32\hmaplert.dll.disabled
If you are using 64-bit Office.

Or
C:\windows\syswow64\hmaplert.dll to C:\windows\syswow64\hmaplert.dll.disabled

If you are using 32-bit Office.

If you're not sure renaming both is fine.

Then launch Excel/Word, do the plugins start faster?  In this state the new processes launched will not get the hmaplert.dll loaded and would rule in/out exploit mitigation.

Don't forget to rename the files back, this is just a test.

I have deactivated the tamper protection and renamed the hmaplert.dll.
The Excel sheet opened very quickly, after the test I undid everything and the start-up behaviour was the same as before the test.

OK, so Exploit Prevention is related to the slow loading due to addons. 

In the linked threat protection policy and with the DLLs back in place - does it help to disable the "Protect office applications" setting:

It seems the most likely setting.

The other option, working at a per process/application basis is to try an exclusion setting, e.g. You can disable certain mitigations just for the process.

I think it's really a case of narrowing down the setting causing it before maybe turning to Support with the info for more indepth troubleshooting but it should be possible to make a small change to at least get it to work even if protection is minimised for the short term just for the process in question.

I will test these settings.
If I deactivate these Protect office applications,
I lose more protection?