Endpoint Protection

Hi all,

We have setup a a weekly scheduled full system scan and noticied the following on one of our servers: -

During the scan the processor utilisation spikes to 50% and above which greatly affects the performance of the server during this process.  Also during that time the network interface starts experiencing network timeouts.

We have raised a tech support call with Symantec but just wondering if anyone else has come across this and found a resolution?

We are currently running Endpoint enterprise version 11.0.4202.75


Thanks in advance
Vinny

Check if you have any files inside the quarentine folder
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec endpoint protection \quarentine

delete all the files
and try running the scan

I see that it scans these fodlers when new defs arrive.

let us know if this was helpful.

Good day

Solution:
The Scan Tuning feature in Symantec Endpoint Protection 11.x works by monitoring file Input and Output. If Symantec Endpoint Protection is doing most of the file IO, the scan will continue unthrottled. If another process is performing a large amount of IO then Symantec Endpoint Protection will throttle the scan until the IO caused by other processes is reduced. If a scan is throttled, Symantec Endpoint Protection will continue to scan but at a much slower speed.


Best Scan Performance – Symantec Endpoint Protection scans as fast as it can. No throttling is done. This is essentially the way legacy SAV scanned.
Balanced Performance – Symantec Endpoint Protection will throttle if other processes are doing a lot of IO. If other processes are doing some, but not a lot of IO, then Symantec Endpoint Protection will not throttle the scan.
Best Application Performance – Symantec Endpoint Protection gives preference to other applications. If other processes are doing some IO, Symantec Endpoint Protection will throttle the scan until the amount of IO by the other processes goes down.

Legacy versions for Symantec AntiVirus have a similar option called “Throttling”. The Throttling option works differently in that it changes the process priority for the scan. Symantec Endpoint Protection scan tuning does not change the scan process priority; instead, it uses the more efficient method of monitoring file IO as described above. For additional information on the legacy scan throttling please see the appropriate Symantec Client Security or Symantec AntiVirus Administrators Guide.

Hello,
I have seen this exact issue occur many times when there is a SQL Database that is being scanned on the system.  Are you running any form of Database?  If so, we will need to exclude those DB files from being scanned.

If you are unsure, you can look for Sqlservr.exe running and also the default location of the SQL DB is located C:\Program Files\Microsoft SQL Server\MSSQL\MSSQL\Binn
Here is the doc for excluding this:
Title: 'How to exclude SQL files and folders using Centralized Exceptions'
Document ID: 2008062709312848
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008062709312848?Open&seg=ent

Hope this helps.

That's not a bad idea.

Virus scanning has historically been a computationally intensive process, due to pattern matching, heuiristics (sp?) etc., although I'm really a layman about all of this.

That being said, if users are having trouble with service during your weekly scheduled scans, have you considered moving scans to off hours (weekends?  evenings)?  I know that this is not always an available option but if it is it might make things easier on you.

 Depending on the size of the quarantine folder if it's a regular size of only a few megabytes this won't be able to contribute to the issue. If you look in the application event log it may show decompression errors for large archive files that can cause a scan to not only take a large ammount of time but also consume CPU useage.

This type of situation is also synonymous when multiple databases are running on the machine, Generally SQL instances or other database type applications.