NOD32 slowing HTTP uploads.

We recently switched our ISP over to a 10Mbps Fiber ring from 2 bonded T1s (3Mbps) and I was running some basic speed tests and noticed a discrepancy in our upstream. I troubleshot the router for about a week, our new managed switches for about a week, and finally came to the realization that NOD32 was the culprit. Specifically the HTTP scanner.

All of the workstations on our Network are Windows XP Pro SP3.

We do not utilize a web-proxy.

I have tested this with NOD 3, 4, and 4 Beta all with the same results.

This does not affect SMTP or FTP outbound connections, only HTTP.

This has been tested with Internet Explorer and Firefox.

We have used Speedtest.net, Speakeasy.net, and even utilized cPanel from a web host and uploaded a 100MB file and it shows the throughput during the upload.

With NOD32 uninstalled or with NOD32 installed and HTTP scanning disabled we are able to cap our bandwidth as would be expected.

With HTTP Scanning enabled, it reduces our upstream to a mere 30%-45% of total capacity.

I understand HTTP Scanning will affect the speed of the connection, but why would it only affect the upstream? and why to such an extreme while the affect to the downstream is barely noticeable.

One more thing just to make it extremely confusing. I have a laptop with Windows 7 Ultimate 64bit, and I have NOD 4 64bit, using the SAME configuration file, HTTP scanning does not affect the upstream. I know the Windows 7 Network topology is different, but an interesting fact nonetheless.

I'd love to hear feedback from people having similar issues, or those of you who may have educated theories. If there is a TCP/IP guru around, I can prepare a Wireshark dump of a before and after speedtest.

 

Windows 7/Vista integrates in to the network stack differently than XP, so I am guessing that would account for the differences you see. The Web Filter is going to check anything HTTP coming in or out of your system, though I agree that the amount of bandwidth impact you are seeing doesn't make much sense. Under the advanced HTTP scanning options, have you tried toggling Active Mode for your browser to see if it changes performance in any way?

 

EAV 4.2 has integration with Windows Filtering Platform on Windows Vista SP2 and newer improved and might resolve the issue you're seeing.

 

Just tried enabling in NOD 4.2, still seeing slowed upstream traffic.

Our organization is using XP Pro SP3.