Optimize your ESET Inspect

System Requirements

Ensure your ESET Inspect Server meets or exceeds software and hardware requirements.

Having a dedicated machine with sufficient storage space to run the database system can further improve performance. This is optional; you can run ESET Inspect On-Prem on a single server.

MySQL

If you have the option, choose MySQL to run the ESET Inspect Database. It currently outperforms the Microsoft SQL Server when running the ESET Inspect Database.

Number of threads

This applies only when your ESET Inspect Database is running on a different server than ESET Inspect Server. If your ESET Inspect Server and ESET Inspect Database runs on the same machine, the configuration is automatic, and you can skip this step.

Set the number of cores to increase the performance, making your ESET Inspect Server more efficient.

Navigate to More > Settings > Database performance (available in the on-premises version only) and specify the Number of threads writing to database according to this formula:

1.5x the number of physical cores of your server running the ESET Inspect Database

Performance check

Ensure your system is capable and efficient.

Since ESET Inspect On-Prem deals with a lot of data, performance issues can occur. The database can often be a bottleneck. Performance issues are usually caused by insufficient hardware, especially disk space.

Too many events collected by ESET Inspect On-Prem can also reduce performance.

A healthy server have a high number of Events processed per second but a low Event Packet Queue Length. Do a performance check of your server to see how it is doing.

Minimize the number of events

Events processed and stored per computer (stored/received within 24 hours) has the biggest impact on performance.

An event is an action done by a process. Such as file write, DNS lookup, new registry entry, etc. All these are individual events listed in the Raw Events view.

An average workstation produces about 100 000 stored events per 24 hours (depending on the environment). Reduce the number of stored events.

Some event filters (automatic exclusions) are proposed by ESET Inspect, click Notifications to review the exclusions, then accept or reject. You can also customize, or manually create exclusions, to further optimize performance in Event Filters.

Configure Settings > Data collection by choosing what type of data should be collected from endpoint computers. Available in the on-premises version only.

Events load

ESET Inspect collects events data, among which there are anomalies or outliers.

Identify outliers, such as safe executables generating excessive events.

To reduce the number of events, create a filter for executable:

1.Navigate to Dashboard > Events load > Events per executable. Click the tallest column of events generated to see what executables are producing too many events.

2.Click the executable name to see its details. If you consider this event as safe, create an event filter.

3.Click the Filter events at the bottom right, follow the wizard and specify Criteria and Event types for this executable. Select event types that cause the most events. If you need further criteria, use the Advanced editor to create an in-depth filter. See the ESET Inspect rules guide for reference.

Repeat this process until you have dealt with most of the outlier events. Also, follow the procedure for the other tables within the Events load.

This optimization can significantly improve performance.

Change events frequency

If too many events persist, create a new policy in ESET PROTECT On-Prem to decrease the interval for sending events:

Navigate to Policies > New policy > Settings and select ESET Inspect Connector, and in the Interval of sending events to the server, specify desired time how often are events sent.

False positive detections

Address false positives to unload the database and prevent future flooding with unnecessary data. Create rule exclusions for False positive detections.

•Enable event filters (automatic exclusions) are proposed by ESET Inspect, click Notifications to review the exclusions, then accept or reject. You can also customize or manually create exclusions to further optimize performance in Event Filters.

•Reconsider the chosen type of ESET Inspect user. If you are not going to continuously analyze a large number of detections daily (in the case of the Security Operations Center user type), choose different ESET Inspect user type, such as Security-focused IT Team or even IT Administrator. This allows you to deal with fewer detections.

•Enable Rule learning mode in Settings (if it is not running).

•Use Mark as safe for executables considered not risky. Marking as safe can prevent some rules from triggering and producing false positives.

•Disable rules that do not suit your environment. For example, if you are using VNC for remote connection, disable the VNC connection from internal IP range [D0523a] rule.

•Modify default rules to match your network. For example, edit the VNC connection from internal IP range [D0523a] rule to accept connections only on specified IP addresses, ranges or ports, so that the rule is triggered only when a suspicious connection occurs.

•Ensure the LiveGrid® connection works. Many rules rely on LiveGrid® information to function correctly. If there is an issue with LiveGrid®, you will see a warning in Notifications section, also in Dashboard > Server Status.

•Be careful when using Microsoft Signer Name while creating Exclusions. Microsoft executables are sometimes signed differently on different Microsoft Windows editions.

Tips

•Keep ESET Inspect Connectors and ESET Inspect Server up to date. Mismatching ESET Inspect Connector and ESET Inspect Server versions can lead to compatibility issues and potential system instability. The latest ESET Inspect Server version usually contains several fixes and improvements.

•If you are using a “golden master” image with a pre-installed ESET Inspect Connector to deploy client workstations, make sure to take the appropriate measures. Otherwise, all clones created from the image use the same database thread, causing very poor performance. To avoid issues, use the same methods that apply to ESET Management Agent.

•Monitor disk space. If the disk space on the ESET Inspect Database server falls below 10%, the database purge will stop working, which will consume even more disk space. This applies to the ESET Inspect on-premises version only.

•Consider lowering the Database Retention settings (available in the on-premises version only).

•Keep the operating system language in mind when creating Exclusions. “NT AUTHORITY\NETWORK SERVICE” on an English installation of windows is called “NT AUTHORITY\Servicio de Red” in Spanish. This can also differ between Microsoft Windows editions. In this case, use “TriggeringUserSid” and not “TriggeringUserName”.

•Keep a copy of the ESET Inspect rules guide handy for reference.

•Speed up loading the table view (for example, in Detections), use the gear icon to modify the table options and remove unnecessary columns and filters.