Optimize your ESET Inspect

To get the best of your ESET Inspect, we recommend you carry out the following tweaks to optimize ESET Inspect before you begin fully using it. It gives you two advantages, increases overall performance, and makes it easier for you to use ESET Inspect when managing detections and responding to them to mitigate the threats.

Tweak

Description

System Requirements

Ensure your ESET Inspect Server is up to specification and meets (or exceeds) software and hardware requirements.

Having a dedicated machine with ample storage space to run the database system may further improve performance. This is not mandatory, you can run the ESET Inspect in a single server environment.

MySQL

If you have the option, choose MySQL to run the ESET Inspect Database. It currently outperforms the Microsoft SQL Server when running the ESET Inspect Database.

Number of threads

This applies only when your ESET Inspect Database is running on a different server than ESET Inspect Server. If your ESET Inspect Server and ESET Inspect Database runs on the same machine, this is configured automatically, you can skip this step.

Set the number of cores to increase the performance, making your ESET Inspect Server more efficient.

Navigate to More > Settings > Database performance (available in the on-premises version only) and specify the Number of threads writing to database according to this formula:

1.5x the number of physical cores of your server running the ESET Inspect Database

Performance check

We recommend you make sure your system is fit, capable, and performs well.

Since ESET Inspect deals with a lot of data, you may experience performance issues. Generally, the database can be a bottleneck. Such performance issues are usually caused by undersized hardware specifications, especially insufficient disk space.

However, the performance can also be hindered if there are too many events being collected by ESET Inspect.

A healthy server have a high number of Events processed per second but a low Event Packet Queue Length. Do a performance check of your server to see how it is doing.

Minimize the number of events

Events processed and stored per computer (stored/received within 24 hours) has the biggest impact on performance.

An event is an action done by a process. Such as file write, DNS lookup, new registry entry, etc. All these are individual events listed in the Raw Events view.

An average workstation produces about 100 000 stored events per 24 hours (depending on the environment). Your goal is to lower the number of stored events.

Some event filters (automatic exclusions) are proposed by ESET Inspect, click Questions to review the exclusions, then accept or reject. You can also customize, or manually create exclusions, to further optimize performance in Event Filters.

Configure Settings > Data collection by choosing what type of data should be collected from endpoint computers. Available in the on-premises version only.

Events load

ESET Inspect collects events data, among which there are anomalies or outliers.

Identify the outliers, for example, known executable events considered as safe and generate excessive occurrences.

To reduce the number of events, create a filter for executable:

1.Navigate to Dashboard > Events load > Events per executable. Click the tallest column of events generated to see what executables are producing too many events.

2.Click the executable name to see its details. If you consider this event as safe, create an event filter.

3.Click the Filter events at the bottom right, follow the wizard and specify Criteria and Event types for this executable. Select event types that cause the most events. If you need further criteria, use the Advanced editor to create an in-depth filter. See the ESET Inspect rules guide for reference.

Repeat this process until you have dealt with most of the outlier events. Also, follow the procedure for the other tables within the Events load.

This optimization can have significant impact increasing performance.

Change events frequency

In case there are still too many events, you can decide to decrease the interval when events are sent by creating a new policy in ESET PROTECT:

Navigate to Policies > New policy > Settings and select ESET Inspect Connector, and in the Interval of sending events to the server, specify desired time how often are events sent.

False positive detections

Get rid of false positives to unload the database and prevent future flooding with unnecessary data. Create rule exclusions for False positive detections.

Enable event filters (automatic exclusions) are proposed by ESET Inspect, click Questions to review the exclusions, then accept or reject. You can also customize or manually create exclusions to further optimize performance in Event Filters.

Reconsider the chosen type of ESET Inspect user. If you are not going to continuously analyze a large number of detections daily (in the case of the Security Operations Center user type), choose different ESET Inspect user type, such as Security-focused IT Team or even IT Administrator. This allows you to deal with fewer detections.

Enable Rule learning mode in Settings (if it is not running).

Use Mark as safe for executables considered not risky. Marking as safe can prevent some rules from triggering and producing false positives.

Disable rules that do not suit your environment. For example, if you are using VNC for remote connection, disable the VNC connection from internal IP range [D0523a] rule.

Modify default rules to match your network. For example, edit the VNC connection from internal IP range [D0523a] rule to accept connections only on specified IP addresses, ranges or ports, so that the rule is triggered only when a suspicious connection occurs.

Make sure the LiveGrid® connection works. Many rules rely on LiveGrid® information to function correctly. If there is an issue with LiveGrid®, you will see a warning in Questions section, also in Dashboard > Server Status.

Be careful when using Microsoft Signer Name while creating Exclusions. Microsoft executables are sometimes signed differently on different Microsoft Windows editions.

Tips

Keep ESET Inspect Connectors and ESET Inspect Server up to date. Mismatching ESET Inspect Connector and ESET Inspect Server versions may cause unpredictable behavior. The latest ESET Inspect Server version usually contains several fixes and improvements.

If you are using a “golden master” image with a pre-installed ESET Inspect Connector to deploy client workstations, make sure to take the appropriate measures. Otherwise, all clones created from the image use the same database thread, causing very poor performance. To avoid issues, use the same methods that apply to ESET Management Agent.

Keep an eye on disk space. If the disk space on the ESET Inspect Database server falls below 10%, the database purge will stop working, which will consume even more disk space. This applies to the ESET Inspect on-premises version only.

Consider lowering the Database Retention settings (available in the on-premises version only).

Keep the operating system language in mind when creating Exclusions. “NT AUTHORITY\NETWORK SERVICE” on an English installation of windows is called “NT AUTHORITY\Servicio de Red” in Spanish. This can also differ between Microsoft Windows editions. In this case, use “TriggeringUserSid” and not “TriggeringUserName”.

Keep a copy of the ESET Inspect rules guide handy for reference: https://help.eset.com/tools/eei/eei_rules_guide_1.7.pdf

Speed up loading the table view (for example, in Detections), use the gear icon to modify the table options and remove unnecessary columns and filters.