Endpoint Protection

I have about 75 machines deployed with SEP 12.1RU1MP1. We have a scheduled scan that runs on all machines at 01:00 each morning.  The majority of the machines run the scan in 1-3 hours, depending on the particular machine.  However,  I have 10x Windows 7 64-bit machines, 6 of which almost always take 6-16 hours to complete.  These 6 machines are unremarkable in terms of configuration, and are actually some of our newest machines.  The other 4 are: 2x VMWare VM's & 2x physical workstations (1 of which is identical hardware to the 6 having issues).  The 2 physical workstations not having issues are in our IT department and, interestingly, have 3-4 times as many files to scan as the average machine, and still finish well under 3 hours.  All other machines (WinXP 32-bit, Win7 32-bit, Win2003 32-bit, & Win2008R2) also scan in 1-3 hours.

I'm thinking it may be something to do with the base OS install.  With the exception of the 1 IT workstation, all of my 64-bit installs (Win 7 & Win2008R2) are clean install (i.e. not a preinstall from Dell).  I couldn't tell you when it started, or how long it has been happening.  I only noticed it when troubleshooting another machine that was having issues reporting its daily scan status to the server.  I've tried uninstalling the SEP client and redeploying, but it hasn't helped.

Has anyone else had this issue?  If so, what did you do to fix it?

Thanks,

Eric

Does the machine(s) have a large amount of files or files large in size?

No.  Compared to all other workstations, they are very typical.  Most work files are saved on the file server, so workstations themselves are very similar in configuration, software install, files scanned.

You could enable VPdebug logging to determine what is scanning and where the differences may lie:

How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0, 12.1, and 12.1 RU1

http://www.symantec.com/business/support/index?page=content&id=TECH102939

http://www.symantec.com/business/support/index?page=content&id=TECH103126&locale=en_US

Hi,

Could you check following article

Scheduled/Manual scan takes a long time to complete on a machine with an active Application and Device Control policy

http://www.symantec.com/docs/TECH96797

Unfortunately, I don't have an Application and Device Control policy enabled.

Eric

I'll enable this debug logging on a couple machines and compare the results.  Maybe it will shed some light. 

The interesting thing is that these problematic machines actually have a lower scanned file count (in some cases a significantly lower count) than many older machines that are scanning normally.

Thanks,

Eric

I've seen this before with files large in size (1GB +). They can take many minnutes to scan. Or even large ZIP files which contain many files as well.

I had thought of that, but I can't find any significantly sized files on these machines.  In fact, my own machine has 4x as many files as these machines (1million vs. 250k), and numerous giant files (DVD ISO images) and some huge zip files and still takes < 2 hours.  These machines are averaging 10-12 hours.  It's crazy.

Hopefully this log will help identify any specific files that are slowing the scan down.

Thanks for the input.

Eric

Okay, I found the issue.  The debug log on the problematic machine is clogged with the entries like this:

01:01:05.196937[_1500][_736]|ScanThrottling: User is not Idle. Sleeping 2000 ms for the Best Application Performance scan.
01:01:07.206735[_1500][_736]|ScanThrottling: ScanStatus is invalid.

I know it's not the users staying logged on.  So something must be running in the background keeping SEP from running.  Now I just need to figure out what that process is.

Thanks for the help.

Eric

Scheduled task(s) perhaps?

Back ups?

Nope.  These are just normal workstations.  We don't do backups on workstations because we force users to save all documents to a file server.  As for scheduled tasks, there aren't any that I (we) have scheduled.  I've gone thru all of the default tasks that get configured when Win7 is installed, but nothing obvious is running.  The strange thing is that it is only these select machines, which were all bought at the same time.  All other Win7 machines are running normally, most of which I (we) did clean installs of Windows.  I'll have to dig deeper when I have time.  For now, I have adjusted the policy to give the scan more priority.  Hopefully that will remedy the issue until I can find the root caue.

E

so what was the issue then ?

I'm about to rollout to all of my 400 workstations but scared off the implication if something goes bad.

with my SSD laptop, it took 3 minutes to do the Active Scan only.

Something is running in the background that causes the SEP client to wait until it has conditions "for the Best Application Performance scan."  It ends up delaying the start of the scan and interrupting it once it has started.  I haven't figured out what the background application is yet.  I tried increasing priority of the scan, but it doesn't seem to have helped.  It doesn't seem to be anything specific to Windows 7 64-bit, but rather these specific machines and their config.  I have other Win7x64 machines that have no issues.  If I find the culprit, I will post back here.

Eric

Thanks for the update Wingfan.