Skip to main content

Troubleshooting endpoint performance issues

Updated: 

If a machine is experiencing any of the following issues, you'll want to gather information and reach out to Support:

  • Freezing or hanging
  • Slowness or performance issues
  • High CPU, memory, or disk resource usage

Information about the issue can help Support with diagnosing the issue. Before reaching out to Support, complete these steps.

Check known issues

If you are running the endpoint agent on a server, make sure the recommended real-time protection layers are enabled. For more information, see Configure Nebula for Windows server roles.

Verify rootkit scanning is disabled as it may increase the time required to complete a scan or impact system performance. For more information, see Configure Scan settings options in Nebula.

Enabling debug logging

Enable debug logging to allow the endpoint agent to capture additional details. For more information, see Enable debug logging on the Endpoint Agent.

Make note of when the issue occurs. If the issue consistently occurs at a specific time, there may be a conflict with a scheduled scan or another software program. Also make note of any steps to reproduce the issue if they are known.

Layer testing

With debug logging enabled, specific components of the endpoint protection can be disabled to narrow down the cause of the issue. This is called layer testing. Follow the steps below to temporarily disable the protection and perform layer testing.

Create a test policy with all real-time protection disabled

  1. On the left navigation menu, click Configure > Policies.
  2. Click New to create a new policy.
  3. Name the policy Troubleshooting - Protection disabled.
  4. On the left, select Protection settings.
  5. Disable all protection under Real-time protection.
  6. If you have a subscription for Endpoint Detection and Response (EDR), select Endpoint Detection and Response on the left and disable Suspicious activity monitoring.
  7. Click Save.

Create a test group

Once a test policy is created, you need to create a test group and assign the test policy.

  1. On the left navigation menu, click Configure > Groups.
  2. Click New to create a new group.
  3. Name the group Troubleshooting.
  4. Select the test policy created above.
  5. Click Save.

Test with endpoints

Lastly, move the affected endpoints you want to test with to the new group.

  1. On the left navigation menu, click Manage > Endpoints.
  2. Select the affected endpoints from which you already gathered logs.
  3. Click Actions > Move.
  4. Select the Troubleshooting test group.
  5. Click Save.

After making changes to a policy or group, the endpoint should receive the new policy within a few minutes. To force an immediate policy change:

  1. On the left navigation menu, click Manage > Endpoints.
  2. Select the affected endpoints.
  3. Click Actions > Check for Protection Updates.
  4. On the left navigation menu, click Tasks.
  5. Wait for the new task status to show Success

Attempt to reproduce the issue with all protection disabled. If the issue does not occur, enable protection layers one-by-one and test after each layer is re-enabled. Test the protection layers in the following order:

  1. Suspicious activity monitoring (EDR only)
  2. Behavior protection
  3. Malware protection
  4. Web Protection
  5. Exploit Protection

Once the issue returns and the problematic layer has been identified, run Process Monitor. For more information, see Use Process Monitor to create real-time event logs.

Now reproduce the issue again, collect endpoint agent logs and save the Process Monitor capture. For more information, see Collect Endpoint Agent diagnostic logs.

Lastly, Contact Business Support. They will provide a link to upload the logs.

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more