Jump to content

Performance degraded on Windows Server 2016 with active Multipoint service


Recommended Posts

I ran the 14 days consumer trial on our virtual Multipoint 2016 server and I noticed some performance degradation when multiple users were logged in and multiple instances of malwarebytes were running. The processor and the memory were doing fine but I think the I/O speed with the virtual disk was severely degraded. For instance some process needed to launch another process and without malwarebytes this might take 30 seconds but when malwarebytes was installed it took 2 minutes instead, therefore 4 times longer.

My questions are:

- is any way to alleviate this behavior with consumer license (premium)?

- would malwarebytes endpoint protection/security be in any way different such as running maybe a single instance or have better I/O performance?

- can I get a new trial with the business version if I had installed (and removed now) the consumer version?

Link to post
Share on other sites

It would be best to trial the product as you mentioned. To follow up on what dcollins was saying, the business version has better server OS support, however there are caveats for the roles a server may be in even if the OS itself is supported. Since this is running a resource sharing role, it may still have similar issues. For example, the business product can only support Terminal and Citrix resource sharing roles if the exploit protection is the only thing in use; the realtime web, malicious file and ransom protection are not supported for roles like that.

Link to post
Share on other sites

That would be not a problem I suppose because the Multipoint "service" is basically relying on Terminal access plus some management tools around it. As far as I can tell it seems the business version appears to be less of an issue but I need to check with real production load after work resumes. I will post my findings here later this month.

Link to post
Share on other sites

So if I run an Active Directory domain controller on a 2016 box without any other roles should I use the Yes Yes Yes X template or x Yes x x template? That server is not a core installation...

Also, I do have 3 Server Core installations, from the table I should NOT install the agent at all? Or install it with all the 4 flags off, and be able to scan?

Edited by rvencu
Link to post
Share on other sites

AD is unaffected, you can use everything except Anti-Ransomware, that part is for client OS, Win 7 and up, only. Server Core is excluded entirely, it is not supported by the agent at all. This is in the Admin Guide on page 6, I'm attaching that for you if you haven't downloaded it form your cloud portal yet.

Malwarebytes Administrator Guide 11.17.17.pdf

Link to post
Share on other sites

Thanks for the instructions. The Anti-Rasomware module will be included for server OS in the future? The way we are working, like RDS and VDI setup would emulate the client OS on the server OS and I guess the threat of ransomware is the same if not bigger due to the fact that the server will represent a single point of failure for all users in case of an attack...

I just read that Sophos has some anti-ransomware module active on Windows 2016, still limited in scope but they included it already.

Edited by rvencu
Link to post
Share on other sites

It is being tested, we will be bringing it to server OS as soon as possible! The main issue with it on server OS right now is, if it fails, it fails silently and not gracefully, it will begin to consume lots memory under mbamservice. For a tip, we haven't seen the typical attack of the client, which will then compromise drive shares. Most of what we are seeing right now is RDP brute force, so keep those admin passwords rotated!

Link to post
Share on other sites

Great! Thanks.

From the performance point of view, after one work day I estimate the performance degradation with the agent in the advised configuration (anti-ransomware off) is only 30% of what we seen by using the consumer version. Checking CPU and RAM all was fine, even with the consumer one, I guess the I/O has to suffer. My machine is inside the VM and the disk access is already affected by this setup. Maybe by using SSD things would improve a lot, we shall switch for SSD if we need to.

Link to post
Share on other sites

Ah gotcha, best suggestion there is to have the web, file and ransom real time off (exploit can be on for host) on the physical host, only letting them run on the vm clients. Also check that you have the self-protect feature off for your policy, only use that when you encounter an infection that is manipulating Malwarebytes and not letting it run, it can consumer resources otherwise.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.