Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

excessively long scan times on Win7 64-bit

Created: 13 Aug 2012 • Updated: 14 Aug 2012 | 14 comments
This issue has been solved. See solution.

I have about 75 machines deployed with SEP 12.1RU1MP1. We have a scheduled scan that runs on all machines at 01:00 each morning.  The majority of the machines run the scan in 1-3 hours, depending on the particular machine.  However,  I have 10x Windows 7 64-bit machines, 6 of which almost always take 6-16 hours to complete.  These 6 machines are unremarkable in terms of configuration, and are actually some of our newest machines.  The other 4 are: 2x VMWare VM's & 2x physical workstations (1 of which is identical hardware to the 6 having issues).  The 2 physical workstations not having issues are in our IT department and, interestingly, have 3-4 times as many files to scan as the average machine, and still finish well under 3 hours.  All other machines (WinXP 32-bit, Win7 32-bit, Win2003 32-bit, & Win2008R2) also scan in 1-3 hours.

I'm thinking it may be something to do with the base OS install.  With the exception of the 1 IT workstation, all of my 64-bit installs (Win 7 & Win2008R2) are clean install (i.e. not a preinstall from Dell).  I couldn't tell you when it started, or how long it has been happening.  I only noticed it when troubleshooting another machine that was having issues reporting its daily scan status to the server.  I've tried uninstalling the SEP client and redeploying, but it hasn't helped.

Has anyone else had this issue?  If so, what did you do to fix it?

 

Thanks,

Eric

Comments 14 CommentsJump to latest comment

.Brian's picture

Does the machine(s) have a large amount of files or files large in size?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

WingFan's picture

No.  Compared to all other workstations, they are very typical.  Most work files are saved on the file server, so workstations themselves are very similar in configuration, software install, files scanned.

.Brian's picture

You could enable VPdebug logging to determine what is scanning and where the differences may lie:

How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0, 12.1, and 12.1 RU1

http://www.symantec.com/business/support/index?pag...

http://www.symantec.com/business/support/index?pag...

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
WingFan's picture

I'll enable this debug logging on a couple machines and compare the results.  Maybe it will shed some light. 

The interesting thing is that these problematic machines actually have a lower scanned file count (in some cases a significantly lower count) than many older machines that are scanning normally.

Thanks,

Eric

.Brian's picture

I've seen this before with files large in size (1GB +). They can take many minnutes to scan. Or even large ZIP files which contain many files as well.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

WingFan's picture

I had thought of that, but I can't find any significantly sized files on these machines.  In fact, my own machine has 4x as many files as these machines (1million vs. 250k), and numerous giant files (DVD ISO images) and some huge zip files and still takes < 2 hours.  These machines are averaging 10-12 hours.  It's crazy.

Hopefully this log will help identify any specific files that are slowing the scan down.

Thanks for the input.

Eric

WingFan's picture

Okay, I found the issue.  The debug log on the problematic machine is clogged with the entries like this:

01:01:05.196937[_1500][_736]|ScanThrottling: User is not Idle. Sleeping 2000 ms for the Best Application Performance scan.
01:01:07.206735[_1500][_736]|ScanThrottling: ScanStatus is invalid.

I know it's not the users staying logged on.  So something must be running in the background keeping SEP from running.  Now I just need to figure out what that process is.

Thanks for the help.

Eric

.Brian's picture

Scheduled task(s) perhaps?

Back ups?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

WingFan's picture

Nope.  These are just normal workstations.  We don't do backups on workstations because we force users to save all documents to a file server.  As for scheduled tasks, there aren't any that I (we) have scheduled.  I've gone thru all of the default tasks that get configured when Win7 is installed, but nothing obvious is running.  The strange thing is that it is only these select machines, which were all bought at the same time.  All other Win7 machines are running normally, most of which I (we) did clean installs of Windows.  I'll have to dig deeper when I have time.  For now, I have adjusted the policy to give the scan more priority.  Hopefully that will remedy the issue until I can find the root caue.

E

Chetan Savade's picture

Hi,

Could you check following article

Scheduled/Manual scan takes a long time to complete on a machine with an active Application and Device Control policy

http://www.symantec.com/docs/TECH96797

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

WingFan's picture

Unfortunately, I don't have an Application and Device Control policy enabled.

Eric

Dushan Gomez's picture

so what was the issue then ?

I'm about to rollout to all of my 400 workstations but scared off the implication if something goes bad.

with my SSD laptop, it took 3 minutes to do the Active Scan only.

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

WingFan's picture

Something is running in the background that causes the SEP client to wait until it has conditions "for the Best Application Performance scan."  It ends up delaying the start of the scan and interrupting it once it has started.  I haven't figured out what the background application is yet.  I tried increasing priority of the scan, but it doesn't seem to have helped.  It doesn't seem to be anything specific to Windows 7 64-bit, but rather these specific machines and their config.  I have other Win7x64 machines that have no issues.  If I find the culprit, I will post back here.

Eric

Dushan Gomez's picture

Thanks for the update Wingfan.

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP