Troubleshooting slow boot times in Symantec Endpoint Protection and Symantec AntiVirus

Article:TECH106311  |  Created: 2008-01-20  |  Updated: 2011-09-27  |  Article URL http://www.symantec.com/docs/TECH106311
Article Type
Technical Solution


Issue



Machines are slow to boot after installing Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV.)

Symptoms
Increased time waiting to log in to the machine when Symantec AntiVirus or Symantec Endpoint Protection are installed. The computer may seem to hang on "Applying Personal Settings."

 


Cause



There are multiple potential causes for this issue.


Solution



Establish Boot times and check for Mapped Drives:

  1. Establish boot time with customer's full application suite installed on the machine without SAV or SEP installed while off the network.
  2. Compare this time against the boot time while SAV or SEP is installed and auto-protect is enabled while off the network. By default, Auto-protect enables at system startup, and loads when the SAVRT driver initializes. Auto-protect can be configured to load at service startup (which is after win-logon in the boot process.) It is important to know when Auto-protect loads because all files accessed by the system during the boot process will be checked by Auto-protect which increases the time it takes for the system to fully boot. Symantec Strongly recommends leaving Auto-protect to load at system startup due to the threat of network aware infectors that have the ability to compromise a machine before a user logs on. Please see the Technical Information section of this document for steps to configure when Auto-protect loads.
  3. Compare the previous time against a boot up of the machine where Auto-protect is enabled and the machine is now on the network. If there is a significant increase in time, check to see if there are mapped drives on the machine. When mapped drives are configured to load at system startup, which is checked by default when creating a mapped drive, Auto-protect will maintain a scanning thread for this activity until the drive successfully connects. Network latency will increase the time it takes for the system to become usable.
  4. Disable all Mapped drives and compare the boot time to the boot time where the drives initialize and connect at startup. If there is a significant improvement, this might point to a network based problem.


Other factors that impact boot times:

  • If a client is managed by a parent server, it checks in immediately with that server once Rtvscan.exe starts. If there are definitions available, the client will download these which can result in a performance impact during the boot process through win-logon. This wait is typically extended if the client must download a full virus definition catalogue.
  • By default, Symantec AntiVirus and Symantec Endpoint Protection run a startup quick-scan of the file system at system startup which is a low impact scan of common areas where infectors are found. For information on configuring the startup scan, please see the Technical Information portion of this document.
  • Check to see if the computer is using roaming profiles. Roaming profiles can involve a substantial amount of information being transferred from another computer in the Windows domain to this local computer, especially if this is the first time that a specific user has logged in to this workstation. Scanning of that profile either by the remote server or the local client can cause delays.




References
Very useful blog about identifying the cause of slow logons with Process Monitor (procmon) http://blogs.technet.com/markrussinovich/archive/2010/01/13/3305263.aspx



Technical Information
 

How to configure when Auto-protect loads for Symantec AntiVirus managed clients:

  1. Launch Symantec System Center and unlock the applicable server group.
  2. Right click either the server group or parent server -> all tasks -> Symantec AntiVirus -> Client Auto-Protect Options -> Advanced button
  3. In the "Startup Options" section, select either System Start for Auto-protect to load early in the boot phase, or select Symantec AntiVirus start for Auto-protect to load when the Symantec AntiVirus service starts (after win-logon.)


How to configure when Auto-protect loads for Symantec Endpoint Protection managed clients:

  1. Launch the Symantec Endpoint Protection Manager.
  2. Select the Policies tab in the left-hand pane.
  3. Under "View Policies" select AntiVirus and Antispyware
  4. In the right-hand window, select the policy that you wish to change Auto-protect's loading order for, then in the "Tasks" section, select Edit the policy.
  5. In the left-hand column, select File System Auto-Protect
  6. Select the Advanced tab
  7. In the "Startup and Shutdown" section you will be able to specify when Auto-Protect loads.


How to disable/enable Startup Quick Scan on a Managed or Unmanaged Symantec AntiVirus client: Database 'Enterprise Security Knowledge Base', View 'Support\All Documents (CLF)', Document 'About the Quick Scan feature in Symantec AntiVirus Corporate Edition 10.1 and Symantec Client Security 3.1'

How to disable/enable Startup and Quick Scans within the Symantec Endpoint Protection Manager: Database 'Enterprise Security Knowledge Base', View 'Support\All Documents (CLF)', Document 'How to disable/enable Startup and Quick Scans within the Symantec Endpoint Protection Manager'

Userenv.log
Windows' User Environmnet log (C:\WINDOWS\Debug\UserMode\userenv.log) is an excellent source of infomation about slow boot-ups, group policy application and profile loading.

"Where enabling Userenv logging is necessary to see exactly what is happening with group policy and profile loading.... One thing to remember is that if the logging is not enabled then do not try and interpret the log since very minimal logging is enabled by default!" (http://www.ditii.com/2008/11/12/how-to-read-a-userenv-log-in-vista-or-windows-server-2008-part-1/ ) Debug info for non-Vista: 221833 How to enable user environment debug logging in retail builds of Windows http://support.microsoft.com/kb/221833

Understanding How to Read a Userenv Log – Part 1 http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Understanding How to Read a Userenv Log – Part 2 http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
Interpreting Userenv log files http://technet.microsoft.com/en-us/library/cc786775(WS.10).aspx

LoadOrder
Sysinternals have a tool (LoadOrd.exe) which reveals the order that a system loads device drivers and services. http://technet.microsoft.com/en-us/sysinternals/bb897416.aspx

Event Logs
Examining the Windows System and Application Event Logs will also reveal much information about what is occuring during a boot. The following events are logged whenever a computer boots. Are there any errors which consistently appear afterward? Perhaps about services or minifilters that are attempting to load, but fail? Is SEP or SAV dependent on those? Will resolving that issue ensure prompt boot times?
 

    Type: Information
    Date: 08/02/2010
    Time: 14:15:05
    Event: 6005
    Source: EventLog
    Category: None
    User: N/A
    Computer: COMPUTERNAME
    Description: The Event log service was started.

    Type: Information
    Date: 08/02/2010
    Time: 14:15:05
    Event: 6009
    Source: EventLog
    Category: None
    User: N/A
    Computer: COMPUTERNAME
    Description: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Multiprocessor Free.




 



Legacy ID



2008102013461148


Article URL http://www.symantec.com/docs/TECH106311


Terms of use for this information are found in Legal Notices