[KB8422] Optimize your ESET Inspect On-Prem product

Ensure your ESET Inspect Server is up to specification and meets (or exceeds) software and hardware requirements.

Having a dedicated machine with ample storage space to run the database system may further improve performance. This is not mandatory, you can run the ESET Inspect in a single server environment.

This applies only when your ESET Inspect Database is running on a different server than the ESET Inspect Server. If your ESET Inspect Server and ESET Inspect Database runs on the same machine, this is configured automatically, you can skip this step.

Set the number of cores to increase the performance, making your ESET Inspect Server more efficient.

Click More → Settings → Database performance (available in the on-premises version only) and specify the Number of threads writing to database according to this formula:

1.5x the number of physical cores of your server running the ESET Inspect Database

We recommend you make sure your system is fit, capable, and performs well.

Since ESET Inspect deals with a lot of data, you may experience performance issues. Generally, the database can be a bottleneck. Such performance issues are usually caused by undersized hardware specifications, especially insufficient disk space.

However, the performance can also be hindered if there are too many events being collected by ESET Inspect.

A healthy server processes a high number of Events per second but has a low Event Packet Queue Length. Perform a performance check of your server to see how it is doing.

The events processed and stored per computer (stored/received within 24 hours) have the biggest impact on performance.

An event is an action done by a process, such as a file write, DNS lookup, new registry entry, etc. All these are individual events listed in the Raw Events view.

An average workstation produces about 100,000 stored events per 24 hours (depending on the environment). Your goal is to lower the number of stored events.

Some event filters (automatic exclusions) are proposed by ESET Inspect, click Questions to review the exclusions, then accept or reject. You can also customize or manually create exclusions to further optimize performance in Event Filters.

Click Settings → Data collection to select what type of data should be collected from endpoint computers. Available in the on-premises version only.

ESET Inspect collects event data, among which there are anomalies or outliers.

Identify the outliers, for example, known executable events considered as safe and generate excessive occurrences.

To reduce the number of events, create a filter for the executable:

1. Click Dashboard → Events load → Events per executable. Click the tallest column of events generated to see what executables are producing too many events.
2. Click the executable name to see its details. If you consider this event safe, create an event filter.
3. Click the Filter events at the bottom right, follow the wizard and specify Criteria and Event types for this executable. Select event types that cause the most events. If you need further criteria, use the Advanced editor to create an in-depth filter. See the ESET Inspect rules guide for reference.

Repeat this process until you have dealt with most of the outlier events. Also, follow the procedure for the other tables within the Events load.

This optimization can have a significant impact on increasing performance.

If there are still too many events, you can decide to decrease the interval when events are sent by creating a new policy in ESET PROTECT On-Prem:

Click Policies → New policy → Settings and select ESET Inspect Connector. In the Interval of sending events to the server, specify the desired time and frequency at which events are sent.

Get rid of false positives to unload the database and prevent future flooding with unnecessary data. Create rule exclusions for False positive detections.

• Enable event filters (automatic exclusions) proposed by ESET Inspect, click Questions to review the exclusions, and then accept or reject. You can also customize or manually create exclusions to further optimize performance in Event Filters.
• Reconsider the chosen type of ESET Inspect user. If you are not going to continuously analyze a large number of detections daily (in the case of the Security Operations Center user type), choose a different ESET Inspect user type, such as a Security-focused IT Team or even an IT Administrator. This enables you to deal with fewer detections.
• Enable Rule learning mode in Settings (if it is not running).
• Use Mark as safe for executables considered not risky. Marking as safe can prevent some rules from triggering and producing false positives.
• Disable rules that do not suit your environment. For example, if you are using VNC for remote connection, disable the VNC connection from internal IP range [D0523a] rule.
• Modify default rules to match your network. For example, edit the VNC connection from internal IP range [D0523a] rule to accept connections only on specified IP addresses, ranges or ports, so that the rule is triggered only when a suspicious connection occurs.
• Verify the LiveGrid® connection works. Many rules rely on LiveGrid® information to function correctly. If there is an issue with LiveGrid®, you will see a warning in the Questions section, also in Dashboard → Server Status.
• Be careful when using Microsoft Signer Name while creating Exclusions. Microsoft executables are sometimes signed differently on different Microsoft Windows editions.

• Keep ESET Inspect Connectors and ESET Inspect Server up to date. Mismatching ESET Inspect Connector and ESET Inspect Server versions may cause unpredictable behavior. The latest ESET Inspect Server version usually contains several fixes and improvements.
• If you are using a “golden master” image with a pre-installed ESET Inspect Connector to deploy client workstations, make sure to take the appropriate measures. Otherwise, all clones created from the image use the same database thread, causing very poor performance. To avoid issues, use the same methods that apply to the ESET Management Agent.
• Keep an eye on disk space. If the disk space on the ESET Inspect Database server falls below 10%, the database purge will stop working, consuming even more disk space. This applies to the ESET Inspect On-Prem version only.
• Consider lowering the Database Retention settings (available in the on-premises version only).
• Keep the operating system language in mind when creating exclusions. “NT AUTHORITY\NETWORK SERVICE” on an English installation of windows is called “NT AUTHORITY\Servicio de Red” in Spanish. This can also differ between Microsoft Windows editions. In this case, use “TriggeringUserSid” and not “TriggeringUserName”.
• Keep a copy of the ESET Inspect Rules guide handy for reference.
• Speed up loading the table view (for example, in Detections), use the gear icon to modify the table options and remove unnecessary columns and filters.