1. Determine if the reduced performance is expected. Varying performance is expected for network file access based on the application used to access the files, type of files, size of files, and type of operation. With network file access, another user could modify a file. For security reasons, the Endpoint driver on a guest virtual machine cannot cache the scan results and always does a fresh scan.
    
2. Verify that you are running the latest vShield Endpoint driver included with the latest VMware Tools release. In addition, check for any hot patches that may be later than the GA version of VMware Tools.
    
3. If you have upgraded to the latest vShield Endpoint driver, isolate the problem by capturing these performance readings:
    

   • #1 - vSheld Endpoint driver installed and partner solution enabled via the partner console
   • #2 - vShield Endpoint driver installed and partner solution disabled via the partner console
   • #3 - vShield Endpoint driver uninstalled and partner solution disabled

4. If the performance of #1 and #2 is comparable:

   • Collect the VMware support information. For more information, see Enabling debug logging for VMware Tools vShield Endpoint thin agent driver (2073078) and Collecting diagnostic information for vShield Endpoint and NSX Guest Introspection MUX VIB (2094267).
   • File a support request with VMware Support. For more information, see Filing a Support Request in Customer Connect (2006985).
      
5. If the performance of #1 and #2 is not comparable and for all other cases, file a support request with the anti-virus vendor.

Using the Process Monitor (ProcMon) Tool

Performance-related issues typically require analysis of the virtual machine snapshot file and a history of all file operations and the time taken to complete them. Microsoft provides a Process Monitor Tool (ProcMon) to track all file operations performed by the application and the time at which the operation was performed. For more information on the Process Monitor (ProcMon) Tool, see Process Monitor.

To configure ProcMon to track the calls made by the vsepflt filter driver, the altitude of vsepflt must be changed, as follows:
Caution: This procedure requires you to modify the Windows registry. Before you modify the registry, ensure to take a backup of the registry. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article 136393.

1. Click Start > Run, type regedit, and click OK. The Registry Editor window opens. For more information, see the Microsoft Knowledge Base article 256986.
2. Go to the key path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vsepflt\Instances\vsepflt Instance.
3. Change the value of the Altitude key to 385300.
4. Reboot the machine.
5. Run and collect the ProcMon logs when the application is loading.
6. Once the logs are saved, revert the altitude to the original value of 328200.