Low System Resources, system crashes, system lockups, high paged pool use by the SavE tag with Symantec Antivirus 10.1/Symantec Client Security 3.1

Article:TECH97319  |  Created: 2009-01-09  |  Updated: 2010-01-18  |  Article URL http://www.symantec.com/docs/TECH97319
Article Type
Technical Solution

Product(s)

Issue





Symptoms
General system installability, system crashes, system lockups, lost mapped drives or other symptoms related to low system resources.


The following Events might also appear System and Application Event logs:

Event ID: 1500:
Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, or that your network is functioning correctly. If this problem persists, contact your network administrator.
DETAIL - Insufficient system resources exist to complete the requested service.

Event ID: 1505
Windows cannot load the user's profile but has logged you on with the default profile for the system.
DETAIL - Insufficient system resources exist to complete the requested service.

Event ID: 1508:
Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.
DETAIL - Insufficient system resources exist to complete the requested service. for C:\Documents and Settings\username\ntuser.dat

Also, for systems that have crashed (BSOD), memory dump analysis will show high paged pool usage by the SavE pooltag.


Cause



The size of the virus definitions has increased over time, and the savrt.sys driver is requesting more and more memory from the paged pool to load the definitions. Eventually the system runs out of paged pool memory and starts to exhibit low-resource symptoms as described above.

Solution



Symantec has addressed the memory use of savrt.sys starting with SAV 10.1.8/SCS 3.1.8. Please upgrade to the current version of SAV/SCS to address this issue.

If upgrading is not possible or feasible, a workaround provided by Microsoft to adjust the paged pool maximum can be applied. Please see the following article from Microsoft for more information.

http://technet.microsoft.com/en-us/library/cc976157.aspx

Addendum

Symantec released an optimized AV engine on February 4th 2010 that lowers the amount of page pool memory usage in SEP and SAV.
While this is available to all customers and will lower our overall product footprint, we also recommend upgrading to the latest version of
Symantec Endpoint Protection or Symantec AntiVirus products to receive all our memory optimization fixes.
The change will be visible in the file version of naveng.sys and naveng15.sys to be 20091.2.2.11



Technical Information
Additional Application Event Log events which may indicate this issue:


Event ID: 40
Source: Symantec AntiVirus
Description: Symantec AntiVirus has determined that the virus definitions are missing on this computer. This computer will remain unprotected from viruses until virus definitions are downloaded to this computer.

Event ID: 22
Source: Symantec AntiVirus
Description: Symantec AntiVirus Auto-Protect failed to load.

Additional System Event Log events which may indicate this issue:

Event ID: 30
Source: SAVRT
Description: Unable to determine the location of the virus definition files.

Event ID: 7000
Source: Service Control Manager
Description: The SAVRT service failed to start due to the following error: A device attached to the system is not functioning.



Legacy ID



2009110914543948


Article URL http://www.symantec.com/docs/TECH97319


Terms of use for this information are found in Legal Notices