Video Screencast Help

Endpoint Protection Slowing Systems Down To A Crawl

Created: 31 Aug 2010 | 9 comments

Running Endpoint Protection 11.0.6 in my environment. Lately I have had many users complaining to me that their computer takes forever to startup in the morning. After doing some testing, I narrowed it down to when Symantec is updating definitions. It's taking on some systems well over 30 minutes to complete the update. During this time it is next to impossible to run anything else. I went through my settings. I don't have any startup scans running, or scans running after new definitions arrive. These systems are Dual Core machines with 1 GB of RAM running XP Pro. What is causing this to take so long just to update definitions? Do I need to disable Network Threat and Proactive Threat Protection? Will updating to the latest version help? Thanks for any help on this.

Comments 9 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

First of all , Your Clients should not run liveupdate. its the duty of the SEP Manager.
Then SEP Manager will distribute definitions to the clients.

GO to SEPM-Policies--Liveupdate-EDit Liveupdate policy

Make sure only "Default Management server is selected" and "Symantec Liveupdate server" is not selected.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Jim_M's picture

It is configured that way. I am only using Live Update for offsite laptops.

Vikram Kumar-SAV to SEP's picture

You can change the update interval on the clients to once day or once in 12 hrs..Liveupdate does consume high memory and since it 1gb RAM it might be too slow at the time of update..so you can increase the time interval between u[dates

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

mssym's picture

1GB RAM might consider low nowadays, however, 30 minutes logon is way too long. I would recommend you to twik the configuration to test each of the settings. make a machine with AV only and test to see whether it boots faster? then start to turn back opn each policy to see where the burden was from.
You can turn on Microsoft user environment debug logging to find out which process takes the long time to complete or whether SEP has any involement there

http://support.microsoft.com/kb/221833

 One thing to ask, do you have "Scan new process immediately" turned on in Truscan Proactive Threat Scans in Antivirus & antispyware policy? if you do, try to turn it off to see whether it makes any difference. 

VKalani's picture

Are the computers slow only during startup, or they are slow even when users are logged in (and definitions update is taking place)?

Upgrading  to 11.0.6 mp1 may  help......

-VKalani

Jim_M's picture

Thank you for the replies. I was looking at changing the update intervals so they don't take place when a user logs on in the morning. As far as I know, they only say it's slow when they startup in the morning. I will run some tests in my test environment with enabling a policy at a time to see if I can narrow it down.  Scan new process immediately is not enabled. I will also test it on a machine with more than 1 GB of RAM to see if I notice any difference.

sandra.g's picture

So computers get turned off every night and started every morning?  If you're using the default settings and clients are updating every day, then they should only be requesting delta packages for definitions (the difference between what's available and what they have).  Thirty minutes is definitely way too long.

One thing to try if you haven't already is to adjust the download randomization to something higher.  This is found under the Communication settings for the group (Clients > [select group] > Policies tab > Location-independent Policies and Settings > Settings > Communication Settings... the same place where the heartbeat interval is set), and the default is also 5 minutes.

Do you use AD startup scripts? For some reason this comes to mind (don't let the title fool you--I've seen instances in which slow start-up was resolved by this):

Title: 'The Windows Explorer Shell (explorer.exe) fails to load at logon when Symantec Endpoint Protection (SEP) is installed'
http://service1.symantec.com/SUPPORT/ent-security....

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

Jim_M's picture

That's interesting because I am experiencing that explorer issue on my computer. I will make that change in my group policy and see if that helps. I will also up the download randomization time.

khaskins82's picture

Disable the start up scan. I had to do that so our laptops would not take forever to display the user's desktop.