Screencasts - Hilfsvideos
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

xdelta3.exe process hogs server CPU

Created: 22 Feb. 2013 • Aktualisiert: 26 Feb. 2013 | 24 Kommentare
Dieses Problem wurde gelöst. Siehe Lösung.

I've been noticing that every day between 11 AM and 1 PM, the xdelta3.exe process pops up and hogs over 50% of the server CPU, severly slowing the whole network down. I believe that our Symantec Endpoint Protection 12.1.671.4971 is updating the definitions and maybe pushing them to all the network clients. This seriously affects our ability to work as our ERP solution (database in the server) becomes non-responsive and we can't take care of our customers.

Our server is an HP Proliant ML370 G5 (Intel Xeon CPU @ 2.33 GHz with 2 GB RAM) and runs Windows Server 2003 R2 (version 5.2.3790, SP2). All clients are Windows XP Professional SP3. This happens each and every day. LiveUpdate Windows Scheduling is set to daily at 3:30 AM.

I don't know why is SEP doing this but it must stop as we're headed into busy season and we cannot place our customers on hold for a long time while we restart all clients and the server to get the system responsive again.

I'd appreciate if someone could provide some insight / suggestions as to how to fix this situation.

Thanks!

Operating Systems:

Kommentare KommentareZum neuesten Kommentar

das Bild der Sumit Gs

Can you confirm at this time have you schedule for Live Update?

If it scheduled then try to change the schedule time and check the process is getting high?

https://www-secure.symantec.com/connect/forums/sep-server-grinds-holt-every-morning

Regards

Sumit G.

das Bild der RickHydros

Hi Sumit,

I have the LU scheduled for early in the morning (i wanted to avoid this kind of problem) but i'm never in the office at that hour so i've not seen if the problem happens.

das Bild der SebastianZs

- If possible update your server to newer SEP 12.1 version.

- Xdelta would be responsible for creating the deltas updates for clients.

- Do you observe the issue around the same time liveupdate on  the SEPM is scheduled? (LiveUpdate Windows Scheduling is set to daily at 3:30 AM.)

- are your clients in push mode? If yes set them to pull mode with randomization - this will force them not to ask for available defs update all at the same time

das Bild der RickHydros

Hi,

We already have the SEP v.12.1.671.4971. I don't see this issue happen at 3:30 AM (no one is in the office at that time, which is the reason i've set the LU to do its thing then).

I do not know if the clients are in push or pull mode, i could not find any setting the in SEP Manager that allows me to change that.

We have the SEP installed in 11 clients in workstations and 1 more in the Windows 2003 server, for a total of 12 clients. The SEP Manager is installed in the windows server.

Thanks for your help.

das Bild der James-xs

Hello Rick,

Xdelta3.exe is used by the Symantec Endpoint Protection Manager (SEPM) when it is creating delta files for clients. (Deltas are small update packages for the clients which allow SEP clients to update definitions without having to download a full definition package over the network.) This normally doesn't bring a server to a halt unless there may be an underlying resource issue.

I have a couple questions for you to better understand your environment:

- How many SEP clients do you have?

- Is the ERP solution/database on the same server as the SEPM?

- Can you flesh out "slowing the whole network down"? Are you actually seeing the network links become saturated or are you just noticing that the responsiveness of the server (or the server's ERP software) becomes sluggish?

- Does xdelta3.exe ever close itself without manual intervention?

- Why was the LiveUpdate schedule modified to run daily at 3:30am? Was LiveUpdate also causing performance issues?

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

das Bild der RickHydros

Hi James,

I've got the answers to your questions:

-We have 12 SEP clients (11 on workstations and 1 more in the Windows 2003 server).

-Our ERP software is  installed in the same Windows server as the SEP Manager.

-When this problem happens, our ERP software becomes non-responsive and we cannot do anything on it, any file we're trying to get from the server takes forever to load. I would say that the responsiveness of the server becomes very sluggish.

-xdelta3.exe closes without any manual intervention, we just have to wait until it is done.

-I set the LiveUpdate schedule to happen early in the morning so all clients would be updated by the time we're in the office. I wanted to avoid precisely this kind of situation.

Thanks for your help.

das Bild der James-xs

Hi Rick,

Thanks for the info. That gives me a good understanding of what your problem is. Your server's performance just isn't able to handle the workload it has on it. The machine itself meets our specifications for having the SEPM, but once you factor in other software (such as the ERP database, which is probably memory intensive, databses often are), you're beginning to run into resource contention issues. (Your limited amount of RAM is of particular concern to me. It's probably causing many pages to/from the disk.)

That being said, I think I have a viable workaround for you.

Would you be open to configuring your SEP clients to getting definitions directly from Symantec's LiveUpdate servers?

If we can eliminate the SEPM's need to create delta definition files, then we should be able to prevent this slowdown from occurring again in the future.

Pros: Eliminating the SEPM's need to create delta definitions will prevent this issue from occurring.

Cons: Slightly increased network traffic since each SEP client is downloading definitions from the internet. We can mitigate this impact on the network significantly, though, by making sure that SEP clients update at different times of day. Total network traffic should be between 1-2MB per client per day. (Note: This is very minimal with today's broadband connections.)

Let me know if you're open to this and I can explain how to set it up.

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

das Bild der RickHydros

James,

Thanks for your quick response. I would be open to that solution. Considering i have the SEPM v.12.1.671.4971 how do i do that?

I seem to have an old SEPM version as i don't have the clients tab, but i have no idea on how to update the SEPM.

Thanks!

das Bild der James-xs

Hi Rick,

You're welcome. Happy to help!

Setting up this configuration is going to require modifying where the clients get their updates from and decreasing the frequency that the SEPM updates itself. (You can't easily disable the SEPM from updating definitions, but you can decrease the frequency to once per week. No reason to have it updating itself daily if you aren't using it to distribute updates to clients.)

CONFIGURING THE SEPM TO UPDATE DEFINITIONS ONCE PER WEEK:

  1. Login to the SEPM
  2. Click Admin > System
  3. Right-click Local Site > click Edit the Server Properties > click LiveUpdate tab
  4. Set the Download Schedule to Weekly rather than Daily
  5. Pick the day of the week to run LiveUpdate (I suggest the weekend, if nobody works then.)
  6. Click OK > OK

CONFIGURING THE CLIENTS TO GET UPDATES FROM LIVEUPDATE RATHER THAN THE SEPM:

It turns out that the Small Business Edition SEPM (which limits the amount of policy options available to simplify management of the product) doesn't allow you to configure clients to update definitions only from LiveUpdate and not from the SEPM. The default policy tells the clients to update from the SEPM and there's no way for you to change this without sending your policy to me so I can modify it and then send it back to you.

Do you have any other Symantec products on this server? If not, you can just uninstall LiveUpdate from Add or Remove Programs. When the SEPM attempts to run LiveUpdate, you may see errors saying LiveUpdate failed. Limiting the LiveUpdate schedule to once a week (as instructed above) will limit the amount of errors in logs. You can safely ignore these errors.

Once you've uninstalled LiveUpdate, you will also need to confirm that your SEPM's LiveUpdate policy (on the Computers tab) is configured so that the clients go to LiveUpdate or else they won't get updated.

  1. Login to the SEPM
  2. Click Computers
  3. Select a client-group and click Policies
  4. Open the LiveUpdate policy > click Schedule
  5. Check "Enable LiveUpdate Scheduling" if it is not checkmarked
  6. Set the Frequency to Every 4 hours
  7. Set Retry Window to 1 or 2 hours

Test that out for a day or two and let me know how that goes.

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

das Bild der RickHydros

Hi James,

Thanks for your help. I've changed the LU frequency for the server to Sundays at 3 AM. As for the clients, i'd like to send the policy file to you and i'd appreciate if you could help me in changing it so those clients get their updates from LU rather than the SEPM. Can you tell me how i can do that? Unfortunately, i do not have any other Symantec products.

Thanks!

das Bild der James-xs

Hi Rick,

Can you export the existing policy from the SEPM (right-click Export) and attach that? It should be a .dat file.

The file you attached won't extract with 7zip for some reason.

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

das Bild der RickHydros

Good morning James,

Here's the file. It is the LU SEPM policy.

Thanks for your help.

ZubehörGröße
HPS LiveUpdate policy.7z 1.32 KB
das Bild der James-xs

Hello Rick,

Thanks, I've modified your policy for you.

This policy is configured so that SEP clients download updates only from LiveUpdate. Clients using this policy will not get updates from the SEPM. Clients will run LiveUpdate daily. The LiveUpdate session start time has been randomized to start somewhere between three hours before and three hours after noon.

You will need to import this policy into the SEPM and then assign it to your client-groups.

James

ZubehörGröße
HPS LiveUpdate policy - LiveUpdate Only.7z 1.45 KB

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

LÖSUNG
das Bild der Rafeeqs

if the heart beat leavel is set to push mode then all the clients will get update at the same time

configure it to pull mode with interval of 4 hours, check if that reappears again

http://www.symantec.com/business/support/index?page=content&id=HOWTO27386

das Bild der RickHydros

Hi Rafeeq,

This seems to work for an older version of the software and i could not find these settings in the SEP Manager. Do you know of a link for the SEP Manager v12.1?

Thanks for your help.

das Bild der SebastianZs

Here is how you change to pull mode:

Steps to change the communication mode in client groups

http://www.symantec.com/docs/TECH94711

Configuring push mode or pull mode to update client policies and content

http://www.symantec.com/docs/HOWTO26845

das Bild der rs_certs

What is the running communication setting of SEPM. ?

das Bild der Vikram Kumar-SAV to SEPs

The Manager would download the definitions in Night..as you have scheduled it.

But in the morning when the Client machines start and request for defintions..that is the time when SEPM starts creating delta definitions hence delta2.exe starts creating delta and starts consuming CPU utilization.

Since you have just 12 client in total.So suggest you to keep 3 definition revision on SEPM and increase the download randomization for the gorup for 2 hours and heardbeat to pull mode and 1 hour.

Also since this server looks to be loaded try increasing the CPU or RAM of the server.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

das Bild der RickHydros

I seem to have an older version of the SEP Manager console:

How do i update to the new one that has the "clients" tab?

das Bild der James-xs

The Clients tab is only on the Enterprise Edition of the SEPM.

You're running the Small Business Edition, so you want the Computers tab.

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

das Bild der Rafeeqs

try to update your SEPM manually by JDB file, check the usage. not sure if this works for smb

http://www.symantec.com/business/support/index?pag...

das Bild der James-xs

Hello,

This will, more than likely, cause the same issue, since xdelta3.exe is used to create delta files and delta files must be created regardless of where the SEPM gets it content.

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

das Bild der RickHydros

Thanks everyone for their help! I hope this situation is resolved, but i'll keep an eye on things and will let you know if something comes up.

das Bild der James-xs

Hi Rick,

Just curious, does this mean you applied the policy and did not experience the issue today?

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!