Before you start

To get the best of your ESET Enterprise Inspector, we recommend you carry out the following tweaks to optimize ESET Enterprise Inspector before you begin fully using it. It gives you two advantages, increases overall performance, and makes it easier for you to use ESET Enterprise Inspector when managing detections and responding to them to mitigate the threats.



System Requirements

Ensure your EEI Server is up to specification and meets (or exceeds) software and hardware requirements.

Having a dedicated machine with ample storage space to run the database system may further improve performance. This is not mandatory, you can run the ESET Enterprise Inspector in a single server environment.


If you have the option, choose MySQL to run the EEI database. It currently outperforms the Microsoft SQL Server when running the EEI database.

Number of threads

This applies only when your EEI database is running on a different server than EEI Server. If your EEI Server and EEI database runs on the same machine, this is configured automatically, you can skip this step.

Set the number of cores to increase the performance, making your EEI Server more efficient.

Navigate to Admin > Server Settings > Database performance and specify the Number of threads writing to database according to this formula:

1.5x the number of physical cores of your server running the EEI database

Performance check

We recommend you make sure your system is fit, capable, and performs well.

Since ESET Enterprise Inspector deals with a lot of data, you may experience performance issues. Generally, the database can be a bottleneck. Such performance issues are usually caused by undersized hardware specifications, especially insufficient disk space.

However, the performance can also be hindered if there are too many events being collected by ESET Enterprise Inspector.

A healthy server have a high number of Events processed per second but a low Event Packet Queue Length. Do a performance check of your server to see how it is doing.

Minimize the number of events

Events processed and stored per computer (stored/received within 24 hours) has the biggest impact on performance.

An event is an action done by a process. Such as file write, DNS lookup, new registry entry, etc. All these are individual events listed in the Raw Events view.

An average workstation produces about 100 000 stored events per 24 hours (depending on the environment). Your goal is to lower the number of stored events.

Some event filters (automatic exclusions) are proposed by ESET Enterprise Inspector, click Questions to review the exclusions, then accept or reject. You can also customize, or manually create exclusions, to further optimize performance in Event Filters.

Configure Server Settings > Data collection by choosing what type of data should be collected from endpoint computers.

Events load

ESET Enterprise Inspector collects events data, among which there are anomalies or outliers.

Identify the outliers, for example, known executable events considered as safe and generate excessive occurrences.

To reduce the number of events, create a filter for executable:

1.Navigate to Dashboard > Events load > Events per executable. Click the tallest column of events generated to see what executables are producing too many events.

2.Click the executable name to see its details. If you consider this event as safe, create an event filter.

3.Click the Filter events at the bottom right, follow the wizard and specify Criteria and Event types for this executable. Select event types that cause the most events. If you need further criteria, use the Advanced editor to create an in-depth filter. See the ESET Enterprise Inspector rules guide for reference.

Repeat this process until you have dealt with most of the outlier events. Also, follow the procedure for the other tables within the Events load.

This optimization can have significant impact increasing performance.

Change events frequency

In case there are still too many events, you can decide to decrease the interval when events are sent by creating a new policy in ESET PROTECT:

Navigate to Policies > New policy > Settings and select ESET Enterprise Inspector Agent, and in the Interval of sending events to the server, specify desired time how often are events sent.

False positive detections

Get rid of false positives to unload the database and prevent future flooding with unnecessary data. Create rule exclusions for False positive detections.

Enable event filters (automatic exclusions) are proposed by ESET Enterprise Inspector, click Questions to review the exclusions, then accept or reject. You can also customize or manually create exclusions to further optimize performance in Event Filters.

Reconsider the chosen type of EEI user. If you are not going to continuously analyze a large number of detections daily (in the case of the Security Operations Center user type), choose different EEI user type, such as Security-focused IT Team or even IT Administrator. This allows you to deal with fewer detections.

Enable Rule learning mode in Server Settings (if it is not running).

Use Mark as safe for executables considered not risky. Marking as safe can prevent some rules from triggering and producing false positives.

Disable rules that do not suit your environment. For example, if you are using VNC for remote connection, disable the VNC connection from internal IP range [D0523a] rule.

Modify default rules to match your network. For example, edit the VNC connection from internal IP range [D0523a] rule to accept connections only on specified IP addresses, ranges or ports, so that the rule is triggered only when a suspicious connection occurs.

Make sure the LiveGrid® connection works. Many rules rely on LiveGrid® information to function correctly. If there is an issue with LiveGrid®, you will see a warning in Questions section, also in Dashboard > Server Status.

Be careful when using Microsoft Signer Name while creating Exclusions. Microsoft executables are sometimes signed differently on different Microsoft Windows editions.


Keep EEI Agents and EEI Server up to date. Mismatching agent and server versions may cause unpredictable behavior. The latest EEI Server version usually contains several fixes and improvements.

If you are using a “golden master” image with a pre-installed EEI Agent to deploy client workstations, make sure to take the appropriate measures. Otherwise, all clones created from the image use the same database thread, causing very poor performance. To avoid issues, use the same methods that apply to ESET Management Agent.

Keep an eye on disk space. If the disk space on the EEI database server falls below 10%, the database purge will stop working, which will consume even more disk space.

Consider lowering the Database Retention settings.

Keep the operating system language in mind when creating Exclusions. “NT AUTHORITY\NETWORK SERVICE” on an English installation of windows is called “NT AUTHORITY\Servicio de Red” in Spanish. This can also differ between Microsoft Windows editions. In this case, use “TriggeringUserSid” and not “TriggeringUserName”.

Keep a copy of the EEI rules guide handy for reference:

Speed up loading the table view (for example, in Detections), use the gear icon to modify the table options and remove unnecessary columns and filters.