Troubleshoot Performance Issues with Endpoint Security

Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP

A WatchGuard Endpoint Security product or a third-party antivirus application or process might cause performance issues for an endpoint. Issues can be application slowdowns, application runtime errors, high CPU usage, or other performance issues.

If you encounter a performance issue on an endpoint, perform the troubleshooting steps in these sections:

Configure File Types Settings

To troubleshoot a performance issue, you can disable these toggles in the Antivirus settings of a workstation and server settings profile:

  • Scan Compressed Files in Emails
  • Scan All Files Regardless of their Extension When They Are Created or Modified

If you disable these toggles and performance improves, this might indicate that antivirus scans contribute to performance issues.

For more information, go to Configure Antivirus Scanning.

Scan Compressed Files UI

Configure Exclusions

You can exclude specific files and folders from WatchGuard Endpoint Security scans. If you suspect a performance issue with a program that manages many files of a specific file type, configure exclusions for the:

  • Installation path of the program.
  • Path where the program stores the information it manages.
  • File extension type of the files the program manages.

If you suspect a performance issue with a program that manages many files of a specific file type, do not configure exclusions for: 

  • Paths or files that might affect the antivirus software.
  • Common file extensions that other applications might use. For example, .EXE or .DLL files.
  • Important paths used by other applications or the operating system. For example, C:\Windows.

When you install WatchGuard EndPoint Security with third-party antivirus software, configure required exclusions in the management UI of the third-party software. You must also exclude these directories in your third-party software:

  • %programfiles%\Panda Security
  • %programfiles(x86)%\Panda Security
  • %allusersprofile%\Panda Security

For more information about exclusions and how to configure them, go to Create Exclusions in WatchGuard Endpoint Security.

Configure Windows Server

If you use Microsoft Windows Server 2016 or Microsoft Windows Server 2019 and experience performance issues and high CPU usage, you can disable Windows Defender to try to fix the issue. Sometimes, Windows Defender can cause a slowdown when more than one security software product runs on the device. On Windows Server 2016 and Windows Server 2019, Windows Defender is not deactivated by default when you install a non-Microsoft antivirus product, such as WatchGuard Endpoint Security.

To disable Windows Defender, you must edit the registry entry of the program. For more information, go to this Microsoft help content:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide

Determine a Problematic Setting

If you continue to have a performance issue, you must identify the WatchGuard Endpoint Security setting that causes the issue. To help identify the issue:

  1. Configure a security settings configuration profile in Endpoint Security and enable File Antivirus only.
  2. Disable all other toggles in the Antivirus section.
  3. Assign the profile to an affected computer.

For more information, go to Configure Workstations and Servers Security Settings.

If the issue continues, you can contact Support. For more information, go to the Collect Data section of this topic.

When you contact Support, an NNSDiag diagnostic file is not necessary for this issue.

If the issue does not continue, you can enable settings to help identify any issues.

In Aether 16 and higher, the Anti-exploit toggle is named Code injection.

Enable settings in this order:

  1. Enable Web Browsing Antivirus.
    To make sure the configuration is applied, wait one minute and test for the issue.
  2. Enable Advanced Protection, but do not enable Anti-exploit.
    To make sure the configuration is applied, wait one minute and test for the issue.
  3. Enable Advanced Protection > Anti-exploit.
    To make sure the configuration is applied, wait one minute and test for the issue.

Other settings on the page might also cause performance issues. If you still do not experience performance issues, enable settings until you identify which one causes the problem.

If you determine that a different setting causes the issue, report the issue to Support. For more information, go to the Collect Data section of this topic.

Determine High CPU Usage in a Process

The PSANHOST.exe process, which is part of the WatchGuard Endpoint Security antivirus service, might sometimes generate high CPU usage.

To assist you with a Support case, you can create a memory dump file when CPU usage is high. For more information, go to Troubleshoot Process Dump Files.

When you contact Support, provide the dump file along with other Support information to help your case. For more information, go to the Collect Data section of this topic.

Collect Data

When you contact Support, collect this information to help Support troubleshoot your case.