Copying files or folders to USB or Removable Storage device is slower than expected.

Article Id: 159525
Status: Published
Updated On: 16-05-2019 13:17
Legacy Id: TECH218945
Products:
Data Loss Prevention Endpoint Prevent , Data Loss Prevention Enforce
Issue/Introduction:

You are copying files or folders onto a USB or Removable Storage Device and you find that it takes an excessive amount of time.

Cause:

Policies which include compound exceptions, two-tier detection (see TECH220967), or regular expressions can require more time than a simple keyword policy in detection on the Endpoint Agent system. In some cases latency will depend on your system CPU, Memory and USB speed e.g. 1.0 or 3.0. To determine the exact cause of the excessive latency you will need to do some initial investigation.

Resolution:

To investigate this issue break it into two areas (i) Resources and (ii) Policies then check the following: 

Resources

  1. Verify there are no errors on the USB device?
  2. Determine the compatibility of your USB/Removable Storage device and the connected computer system, could this be a 1.0 USB device connecting into a 2.0 USB port?
  3. Check your settings and consult your vendor resources to determine if you can improve the current setup to optimize the current USB port configuration?
  4. Typical USB port speeds are as follows: 
    • Usb1 0.    1.92 mbs
    • Usb1.1     1.5 mbs
    • Usb2.0   60 mbs
    • Usb3.0   598/600 mbs
  5. Determine how far from this average speed is the current process?
  6. Do a baseline test without DLP Endpoint Agent enabled or installed and compare the result to that when DLP Endpoint Agent is enabled or installed, what is the difference?
  7. Check if there is any other software on the computer system that may add to latency such as antivirus, firewall or encryption? 
  8. In the case of antivirus we would strongly recommend that you have exclusions in place for DLP on the computer system, please see TECH220235 - Best Practice: Endpoint Agents with Antivirus Protection and in the case of excluding the antivirus application in DLP see Exclude the SEP Agent From the DLP Endpoint Agent Configuration for more details.

Policies:

  1. Take note of the time it takes to copy the file/folders while all policies are applied to the Endpoint Agent.
  2. Disable all policies in the Enforce console which are applied to the Endpoint Agent and do a test copy to compare the timing to determine the difference. 
  3. Then enable one policy and test to determine what is the increase in latency with this policy while doing the file copy, then disable this policy and repeat for another. 
  4. From this information look at what policies take cause the longest latency and what rules might be causing excessive latency then review them to determine if you can tune to them to be more efficient.

For assistance on policy tuning please refer to the chapter entitled "Best practices for authoring policies" in the Symantec Data Loss Prevention Administration Guide.

For guidance on expected latency while copying data to USB/Removable Storage devices please consult the Symantec Data Loss Prevention Endpoint Performance Guide, specifically the chapter entitled "Latency testing".