When using the Intrusion Prevention (IPS) feature of the Symantec Endpoint Protection client, there will be a reduction in network throughput as the IPS module is not hardware accelerated and relies on the CPU to inspect all network traffic as runs it through the many IPS definitions. This is unavoidable given how the IPS technology works within the larger multi-layered protection umbrella provided by SEP.
Machines with under 1GB of bandwidth will see from 30-50% traffic rate reduction.
Machines with more than 2.5GB bandwidth will see from 80-90% traffic rate reduction.
The IPS engine must 'decompose' and take apart each and every packet at the 'header' and 'data' level and then compare components of each to he large data of IPS definitions. This has a high amount of performance cost and cannot be avoided in a unaccelerated software filter.
Starting with Symantec Endpoint Protection v14.2 RU1, a new feature was added within the Intrusion Prevention Policy named Server Performance Tuning that contains two different options, Out-of-band Scanning and Use Signature Subset for Servers. The intention of these features is to allow additional tuning for the IPS module and definitions in high-throughput scenarios, which are typically Servers providing network-based services. However, these features can be used on endpoints of all types as desired, as long as they are supported by the SEP client itself.
Out-of-band Scanning tells the SEP client to use a multi-threaded processing approach for all network traffic examination via the IPS module, which has an overall effect of reducing the performance impact of using the IPS module. The use of this feature does not reduce the efficacy of the IPS module in any way.
Use Signature Subset for Servers is a smaller, consolidated and optimized set of IPS signatures intended for use in high-throughput scenarios, regardless of the endpoint type.
Note: In the Intrusion Prevention policy on the SEP Manager, the user interface calls out the use of the Out-of-band scanning feature as possibly conflicting with Windows Filtering Platform drivers, on Server operating systems. Therefore it is highly advisable to thoroughly test this option with a Server operating system, in a testing environment, prior to enabling it on production Server operating systems.