This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Programmes start very slowly

Hi,
we have a problem with the current intercept x client version.
The start of programmes has become very noticeably slower.
Are there any settings in the intercept x so that the programmes start as quickly as usual?



This thread was automatically locked due to age.
Parents
  • Hi,

    thanks for your quick support.

    It mainly concerns programmes that are executed via the network.
    z. e.g. ERP, Office etc.

  • I assume you're not running Office executables from the share, you're referring to opening documents that are stored on a file server.  The client accesses them via \\server\share\file.docx for example or maybe X:\file.docx if they are using a mapped drive?

    As a test, in the threat protection policy, does it help to un-check "Remote files" as a test:

    At the client, when it gets policy (should be under 1 minute) it will set:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config

    OnAccessExcludeRemoteFiles = 1

    ---

    If it is EXE files run from a remote location this would also help but "Enable Threat Case creation" in the same policy may also be worth disabling as a test.

    At the client, disabling it, will set:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\RCA

    Enable = 0

    Also is 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\EDR
    Enable set to 1, this denotes EDR is enabled?

  • Hi,
    I have deactivated the switch for remote files and have already noticed a noticeable improvement.
    If the OnAccessExcludeRemoteFiles value is set to 1, what does this mean?
    Does this make the policy apply faster on the client?

Reply Children
  • I would like to add one more thing,
    Excel or Word with add-ins also start very slowly.

  • Checking the registry value at the client for OnAccessExcludeRemoteFiles  being set to 1 just means the policy from Central to disable "remote files" has arrived at the client.  if you were to re-enable it in policy it would go back to 0.

  • I assume they are local files?

    I wonder if that's more likely to be the exploit mitigation feature? 

    As a test to prove/disprove this, with Tamper Protection first disabled at the endpoint: If you close Excel and Word.

    Then rename:
    C:\windows\system32\hmaplert.dll to C:\windows\system32\hmaplert.dll.disabled
    If you are using 64-bit Office.

    Or
    C:\windows\syswow64\hmaplert.dll to C:\windows\syswow64\hmaplert.dll.disabled

    If you are using 32-bit Office.

    If you're not sure renaming both is fine.

    Then launch Excel/Word, do the plugins start faster?  In this state the new processes launched will not get the hmaplert.dll loaded and would rule in/out exploit mitigation.

    Don't forget to rename the files back, this is just a test.

  • I have deactivated the tamper protection and renamed the hmaplert.dll.
    The Excel sheet opened very quickly, after the test I undid everything and the start-up behaviour was the same as before the test.

  • OK, so Exploit Prevention is related to the slow loading due to addons. 

    In the linked threat protection policy and with the DLLs back in place - does it help to disable the "Protect office applications" setting:

    It seems the most likely setting.

    The other option, working at a per process/application basis is to try an exclusion setting, e.g. You can disable certain mitigations just for the process.

    I think it's really a case of narrowing down the setting causing it before maybe turning to Support with the info for more indepth troubleshooting but it should be possible to make a small change to at least get it to work even if protection is minimised for the short term just for the process in question.

  • I will test these settings.
    If I deactivate these Protect office applications,
    I lose more protection?

  • The main aim at the moment is to find the most specific setting causing the delays.

    It seems like there are 2 issues if I have understood what you are seeing correctly.

    1. Opening remote office documents (once Word/Excel are already open - File - Open) is slow - Disabling the scanning of remote files helped with that.

    2. Office applications are slow to load, the part when it displays it is loading plugins. I.e. Just opening Word or Excel, not opening an actual document.

    Maybe 1 is caused by 2? Can you confirm 2 is a problem just starting Word/Excel without opening a document?

    Based on you have reported from the tests, if you rename the hmaplert.dll files, Excel/Word open fast, then that's issue (2) and would seem to be more exploit mitigation related.  The most likely mitigation would be "Protect office applications".  I'd just like to test this is the case having restored the DLLs back again by disabling that one setting.

    At least you can then go to Support and explain the 2 problems (if there are 2) and the 2 settings that appear to help alleviate the issues.

  • It's really when I start only excel or only word

  • Can you clarify if it's slow just opening Excel or Word or opening a file associated with them? E.g.

    1. Just launching Excel or Word from the start menu.

    2. Opening a docx or xlsx file which opens the application.

    I'm not sure if the issue is with the time it takes the application to start or the time it takes remote documents to open which are 2 separate tests.

    If the application is just slow to start even if you don't open a file, I would consider disabling " Protect office applications" to see if that helps as a test.

  • The problem is solved,
    I talked to my colleagues, they told me that Excel and Word start quickly, and that with the removal of the switch (remote files).

    I say thank you very much

    Could you also help me with Webcontrol?

    For example, if I want to block the domain Ebay, unfortunately I cannot specify the domain.
    I have to enter ebay.de ebay.com etc. which is very tedious and very inaccurate.
    Do you have any idea how I can make a single entry to block the entire domain?
    Quick note we do not use Sophos Firewall