Endpoint Protection

I have SEP 11.0.4202.75 installed on all my workstations and found out that RTVScan.exe has page faults at a high rate, is this normal or expected?

(Launch task manager and enable page faults column, you should be able to see it)
 
Does anyone know why RTVScan.exe have page faults at a high rate?

Hi,

       This is definietly on the higher side however we need to check if this screen shot was taken when a scan was being performed may be at the background.

No scan is running on the machine.

I see the same thing on my system.



This is normal and does not indicate a problem. A page fault is generated when an application tries to access information that is not in physical memory (also know as an application's working set). Windows NT handles this by generating a page fault, which causes the information to be found and loaded.

Thomas

If it is not indicate a problem, what a high page faults is really indicated then? could it impact other things on the machine? thanks  

Contrary to what the name suggests, page faults are not errors and are common and necessary to increase the amount of memory available to programs in any operating system that utilizes virtual memory.

See http://en.wikipedia.org/wiki/Page_fault for more info.

 A high number of page faults will not impact your computers performance.

Page faults are not an error per se, but they do indicate that the process has been held up while data is fetched from disk.  High numbers of page faults are generally bad as it usually means there is insufficient memory.  This might also result from the use of memory mapped files (not sure about that).

The excessive numbers of page faults associated with this product (it's not just rtvscan.exe, it's smc.exe and ccSvcHst.exe as well at least), can impact the operation of a PC severely.

Bear in mind that a HDD can only sustain about 100 individual operations per second, then seeing millions of page faults (orders of magnitude more than other processes on my system) represents a significant use of the HDD system.

This is very obvious on my machine when booting up as it takes up to 5 minutes (after cleaning the system and removing non-essential services) for the desktop to become responsive.  It's not an issue with CPU or memory - there is generally very low CPU utilisation and 4GB RAM - it's an issue with the symantec processes hogging the HDD and preventing the rest of the system from loading/functioning.

I should also add that this is after I've disabled all the proections listed in Endpoint Security Dialogue (11.0.1000.1375).  It was taking 10-15 minutes to become responsive.

Page fault has very little to do with the performance of a machine. More so with XP SP1 and higher.

I can relate why rtvscan.exe has high page fault rate.

It's mainly when the information is not present in the main memory. Like, there is a reference to file "c:\virus.cab" but there is no file present by that name.

Since the scan engine gets deep inside the compressed files\folders, in fact everything that gets loaded up in memory that the location would not stay constant(of course).  Also, there are items in use by other process, and very natural for a fault to be generated when rtvscan tries to access it. Sometimes, it does not have the access to scan it. And all this should ideally happen thousands of times everyday if everything is normal.

My point is that each of these page faults generates a discrete disk access.

The rate at which rtvscan (and the others) generates these disk accesses is thrashing the hard drive and preventing the rest of the system from operating normally.

This isn't just theoretical.  I can see and hear that my hdd is been accessed continually.  I can see the slow rate at which explorer retrieves file icons and displays them on the desktop.

The problem is not with 1000s of accesses per day.  It's millions of accesses.  For me, it's also the rate at which it accesses the drive when I first log in.

Depending on how the machine is being used page faults can have a massive impact on performance.   Where the computer is CPU bound with many (non realtime) processes, having processes waiting on disk access thery aren't an issue.  In this case though, the computer performance is limited by the hard disk, there is virtually zero CPU utilisation and the page faults are devastating on performance.

I still don't get your point. Do you have any logs that suggest that it's RTVScan.exe page faults that are responsible for the slugishness of your machine? or maybe a document?

 

I don't think this has been made before, to analyze all the processes from the system start.

This should work.

Create an Auto service for starting the procexp. Or if you don't wanna create one, you might install a tiny program with a service and rename the procexp to it's name and replace it. I don't know, try it.

I think you will have to use the /t for minimizing the procexp to the system tray, or else it might run in the background, and maybe as low priority.

procexp.exe /t /p:l

I am not sure if they have fixed this bug yet  http://forum.sysinternals.com/forum_posts.asp?TID=8556 but one switch should work in all cases.

Thanks for the info about process explorer this will be very useful.

I'm not sure it will help in this case but it's something I'd been missing.

I won't be pursuing this inestigation further as I'd already got my startup time down to something I can live with and the (AV) behaviour is within what I'd expect; I think this was becoming more of an abstract argument.

Regards.

Yeah, but don't tell me you didn't enjoy it :)

Hi,

There are two issues in this thread. First is the high number of page faults by the RTVScan.exe process. This is due primarily to RTVScan unloading the AV definitions from memory if they haven't been used "in a a while" and then reloading them when they are needed. This helps reduce the memory impact of SEP on systems which is especially helpful for low end systems with 256Mb or 512Mb of RAM. And it helps with the other topic of this thread...
The second topic is the long time it takes after starting your computer for it to become usable. In SEP 11.0 MR2 we made substantial improvements to help speed the startup time of SEP. There were several changes of particular benefit to startup times. The one that is relevant here is that RTVScan.exe no longer loads the AV definitions until they are first needed. Prior to 11.0 MR2 RTVScan.exe used to load the AV defs at startup regardless of whether they would be needed in 30 seconds or in 3 hours. But in 11.0 MR2 and later RTVScan.exe doesn't load the defs at startup. Rather RTVScan.exe loads the defs only when they are needed.
RTVScan.exe needs to load the defs when a scan is being done (manual scan, scheduled scan, right click scan in Explorer, scanning email messages, etc). But if RTVScan.exe hasn't used the defs in a while (10 minutes) the defs get unloaded.

The high number of pages faults has to be considered in the context of how long the system has been running. 400M page faults over 2 hours would be bad. 400M page faults over 2 months is not.

I hope this helps clarify thing for everybody.