Troubleshooting Scan Engine crashes

Article:TECH185896  |  Created: 2012-04-05  |  Updated: 2012-04-06  |  Article URL http://www.symantec.com/docs/TECH185896
Article Type
Technical Solution


Environment

Subject

Issue



This article contains recommended guidelines and steps to help admins troubleshoot Scan Engine crashes.


Solution



The following checklist should help troubleshoot and investigate Symantec Scan Engine (SSE) related crashes. 

Crash behaviour

  • Understand and document its frequency
  • Document when the crashes started and the changes that were applied to the system before that moment 
  • Record steps to reproduce (if possible)
  • Document all the remedy actions taken to recover from the crash each time
  • Consider upgrading Scan Engine to the latest available build, in order to avail of code improvements which may help resolve the crashes.

 

Collecting additional crash evidence

  • If filesystem-intensive applications (such as Antivirus, Backup, etc) are installed on the same server, ensure that proper exclusions are set for Scan Engine folders.
    • For more information, please refer to technotes TECH81335 and TECH89717, also linked in the "Related Articles" section.
  • Collect all SSE configuration files (all XML files within the SSE installation folder)
  • Ensure SSE logging is set to Verbose level 
  • Collect SSE statistics (DAT) from Scan Engine's "log" folder
  • Compare events between SSE Dat and Log files.
    • Technote TECH134905, also linked in the "Related Articles" section, may help reading SSE logs easily.
  • (Windows) Run PerfMon counters for the symcscan.exe process (all)
    •  Technote TECH94315, also linked in the "Related Articles" section, may help setting up PerfMon counters easily.
  • (Windows) Process Monitor collection while the issue is reproduced  
    • To limit resources usage, ProcMon can be filtered to only capture events by the "symcscan.exe" process
  • Network capture of ICAP conversation (when ICAP  is used)  
    •  To limit resources usage, the network capture can be filtered to only capture ICAP traffic (TCP port 1344)
  • Process full memory dump of the crash
    • Configure the Operating System to generate full memory dumps upon any process crashing.
  • Enable Scan Engine "data stream save" feature by following steps in technote TECH84224

 

Important: some of the above steps may not be applicable to those scenarios where the crashes are occurring on a random basis, since the resource usage could be too intenstive for the systems. In such cases, please discuss the next steps with Symantec Technical Support to best assess which steps to take.


For more info, please refer to the Related Articles section.





Article URL http://www.symantec.com/docs/TECH185896


Terms of use for this information are found in Legal Notices