Poor web browser performance after upgrade

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

After upgrading the endpoint agent, performance for some or all users with Internet Explorer has become unuseably slow; often not loading websites at all.

Example: FINEST level agent logging - edpa_ext0.log

The last line states we ran out of threads. If we see "NoThreadAvailableException" frequently. This is likely the cause for hindered performance.

Cause

DLP 14.5+ has additional File Path Resolution (FPR) capability. This features can often result in several thousand tasks created for file path resolution and has been known to affect performance.

Resolution

In many cases this can be resolve by setting the following advanced agent setting to '1'.

Location: System > Agent > Agent Configuration > $AgentConfigurationChange$ > Advanced Agent Settings
Setting: NetworkMonitor.APPLY_PREFILTERS_TO_FPR.int
Value: 1

This allows the filters on the agent monitoring tab of the agent configuration to apply to the tasks created for FPR.

In some cases however, this may not be enough to resolve the issue and the file pre-filters may need to be modified to include other common FPR locations.

Common file types that will generate a large quantity of FPR tasks are .tmp and .xml files. To further ignore these you can add a filter to ignore these file types.

Navigate to the agent confguration applied to the agent(s) in question
Choose "Add Monitoring Filter"
Select "HTTP/HTTPS Attachment" as the destination
Check the "Type" checkbox
Add *.tmp and *.xml to the ignored file types.

Note: This will prevent detection on these two file types when uploading them to a destination via HTTP or HTTPS. However, these two file types are not likely to contain sensitive data.

If performance is still poor after adding these filters, and 'nothreadexception' continues to be found in the agent logs. We can identify what file path resolution tasks are still being generated and tune the filters further.

To do this install DebugView

Install DebugView from Microsoft 'Sysinternals' website. Enable the following flags in DebugView:
- Capture Win32
- Capture Global Win32
- Capture Kernel
- Enable Verbose Kernel Output
- Pass-Through
- Capture Events
Reproduce the issue
Stop DebugViewer recording.
Save the DebugView capture.

The Debugview capture will list the paths that are having FPR tasks created for them, this will include the file extension.

Search the capture for "Sending request for FPRS \" to locate the remaining paths that do not meet already existing file pre-filters from the agent configuration. Note file types that are not likely to contain PII files (like .tmp files mentioned above). Then create a new file filter or modify an existing file filter to exclude these file types using 'HTTP/HTTPS Attachment' as a destination.

--------------------

Note, the agent pre-filters, cannot be applied to files that do not have a file extension. This will apply to many FPR requests for the windows encryption files such as
\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d. By themselves, the unfilterable file paths should not be problematic however.