Agent performance spikes

book

Article ID: 160326

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Endpoint Agent may have performance spikes with large file processing.

Resolution

There may be some spikes in memory, CPU, and disk usage as the Symantec DLP Agent operates. The DLP agent does not reduce the priority on Endpoint Prevent, because that could delay movement of files, which would be a more noticeable delay.  Spikes in performance can be caused if there is a significant amount of data to monitor especially with poorly written policies that take longer to evaluate. For example, if you try to send an email with multiple attachments, the performance of the task may be slower, such as a delay in sending email or copying to USB. The Symantec DLP Agent uses additional resources to monitor and perform detection on each of the attached files as well as on the
message itself. As soon as the email attachments are processed, the extra resources are released and the Endpoint performance returns to normal. Spikes in performance are normal so long as the spikes do not fluctuate wildly.

If an Agent has not connected to its Endpoint Server for a long time, it sends all of its accumulated incidents and events to the Endpoint Server when it reconnects.
The Agent also downloads any new policies or Agent configurations. The performance of the Endpoint computer decreases while the Agent performs these synchronization activities with the Endpoint Server.