This article comes from Tracy Camp (Lead, Principal Engineer).
We have been putting a lot of engineering focus on ensuring that Cb Protection (CbP) scales appropriately in ‘VDI’ environments like Microsoft Server Remote Desktop Services (RDS) or Citrix XenDesktop. These products essentially make use of the underlying multi-user capabilities of the Microsoft Windows Server platforms to provide multiple concurrent desktop sessions against a single running instance of Microsoft Windows Server. This method of implementing a VDI environment means that a CbP agent manages all of the activity of every logged in user concurrently. In such environments the number of events and objects that the CbP agent must track can be on the order of a magnitude larger than a Microsoft Windows Server hosting some workload with a finite number of interactive users.
We are not done with improving our performance in multi-user VDI environments by any means. This post is intended as a status report on our progress to date.
In our analysis of performance in a multi-user VDI environment, we discovered two general areas of performance bottleneck that predominated.
Impact from number of processes running in a typically busy multi-user VDI environment.
We recently released CbP 7.2.3 patch 3 which changes the way we handle process locks. We have modified the granularity of locks used in the parity.sys driver to track processes and loaded images within a process from a global system-wide lock to a per-process lock. What this means is that we do not have to interrupt activities occurring on other processors every time we need to read or update information about a specific process. This allows for more parallelism from hardware to be achieved and is a generally beneficial improvement to many workloads aside from multi-user VDI.
We have a dedicated in-house team that runs an extensive set of performance benchmarks. This includes typical desktop workloads, as well as server and software engineering workloads. In order to test the effectiveness of this change in a VDI environment, our performance test team invested in a 3rd party tool intended for tuning VDI environments.
Because the details of our specific test VDI environment and just about any other production environment will differ and a fair amount of complexity is involved in setting up, conducting, and interpreting the results, we are avoiding using ‘specific numbers’ here. However, we can say that we are seeing a 30% improvement performance in this area between 7.2.3 patch 2 and 7.2.3 patch 3.
User login and logoff impact
Our analysis showed that another of our performance bottlenecks was due to activity associated with updating the user-specific portions of the current policy. Specifically per-user rules, or macros that referenced a user-profile or registry hive, could result in a large amount of work to recalculate the effective policy on each user login and logoff event. In a busy multi-user VDI environment, user login and logoff events are frequently as common as launching and closing business applications.
In the forthcoming 8.0 release we have made two changes to the CbP agent, the first is to only recalculate the effective policy set on user login, if a user logs off, we will leave the per-user policies in place until the next policy re-calculation occurs. The second change is to change how we handle user-profile directories or user hives from being a set of specific file or registry paths that are re-calculated for each individual user, to being symbolic patterns. This can reduce the size of the effective policy set in a busy multi-user VDI environment considerably and can frequently reduce the number of times that the effective policy set needs to be re-calculated due to a user logging in.
As we get closer to 8.0 General Availability we will post the results of performance tests.
What does this all mean?
It means that we at Carbon Black are committed to your success and are working very hard to deliver constant improvement in our endpoint agent not only as a powerful security platform, but a performant one as well. We are pleased to offer you the 7.2.3 patch 3 and upcoming 8.0.0 release. We are not done.