This config used with Sysmon 11.0 can cause bad network file open/save delays on Windows file servers.

[branchnetconsulting]

A bug in Sysmon 11.0, which is supposedly fixed in a soon to be released 11.10 version of Sysmon, causes crippling delays during network file open and save events when installed on Windows servers that are hosting MS Office files via network file shares. This bug does not express itself with the default Sysmon config file but the current SwitchOnSecurity config does expose the bug. I read that by removing the FileCreate and FileCreateStreamHash sections from it, that the problem goes away. I have not personally tested that yet.

See here on Technet for further details.

Kevin

[branchnetconsulting]

I had a client who was suffering from the MS office file-opening delays related to this issue, confirm today that when they switched to using the SwiftOnSecurity Sysmon config minus the FileCreate and FileCreateStreamHash sections (see here), that their problems immediately cleared up. In their case, not only were they experiencing 30 second freezes during network file opens with MS office programs, but also where they were using Active Directory roaming profiles, their systems were locking up during logout when the syncing up of a user's profile changes to the network is supposed to happen. That also ceased with the Sysmon change.

Kevin

[gyterpena]

Same issue here.

[branchnetconsulting]

It appears Sysmon 11.10 is now available here. I have not tested it out yet but some others are reporting it really does resolve this problem.

[gyterpena]

tested with 11.11, works fine, no issues with opening/saving on fileservers.