Video Screencast Help

"File Cache" function cause performance problems on some servers

Created: 12 Feb 2013 | 5 comments

Hi,

We have the following configuration for the "File Cache" function for our servers with SEP 12.1.2 installed:

 

  • Enable file cache [x]
  • Use the default file cache size [x]
  • Rescan cache when new definitions load [x]

 

Now we see on some servers a performance impact when new definitions get loaded.

  • On one SQL Server the "Rescan" only takes ~4 Minutes - C:\ drive kind of busy but not too much really – I see this as a normal impact with the “Rescan” option enabled
  • On another SQL the "Rescan" takes up to 30 Minutes and scans 15.000 files - C:\ busy the whole scan time
  • Archiving server that stores millions of files the "Rescan" can take up to 60 Minutes - D:\ drive (where the archived PDFs are stored) is very busy with some performance impact to search query’s from the archiving solution

My questions are now:

 

  • Should we disable the “Rescan cache when new definitions load” function on all servers?
  • If so, is that a security risk?
    • Let´s say a “bad file” is marked as clean inside of the cache
    • New definitions get loaded that “know” that the “bad file” should get detected
    • Will it get detected then?
  • How big is the “default cache size”? Can it be changed in SEP12.1? The documentation says “Applies only to legacy Clients” Do they mean SEP11?

 

 

Thanks!

Comments 5 CommentsJump to latest comment

.Brian's picture

it is really up to you. If there is a file in quarantine and you uncheck the option that it won't be scanned. There is a chance that new defs can remediate the threat. It's not always guaranteed though.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SebastianZ's picture

According to the documentation:

File System Auto-Protect uses a file cache so that it remembers the clean files
from the last scan. The file cache persists across startups. If the client computer
shuts down and restarts, File System Auto-Protect remembers the clean files and
does not scan them.
File System Auto-Protect rescans the files in the following situations:
■ The client computer downloads new definitions.
■ Auto-Protect detects that the files might have changed when Auto-Protect
was not running.
You can disable the file cache if you always want Auto-Protect to scan every file.
If you disable the file cache, you might impact the performance of your client
computers.
You can also set the following parameters:
■ The file cache size
The default cache size is 10,000 files per volume. You can change the cache
size if you want File System Auto-Protect to rescan more or fewer files.
■ Whether or not Auto-Protect rescans the cache when new definitions load
You might want to disable this parameter to improve File System Auto-Protect
performance

http://www.symantec.com/business/support/index?pag...

The option is applying as well for 12.1.

 

Additionaly in SEP 12.1 there is Shared Insight Cache which you may find interesting:

https://www-secure.symantec.com/connect/blogs/shar...

How Shared Insight Cache works

http://www.symantec.com/docs/HOWTO55318

Symantec Endpoint Protection Shared Insight Cache User Guide 12.1

http://www.symantec.com/docs/DOC4334

Shared Insight Cache - Best Practices and Sizing guide

http://www.symantec.com/business/support/index?page=content&id=TECH174123

Installation and Configuration of SEP Shared Insight Cache

http://www.symantec.com/docs/TECH185897

 

To your question:

If so, is that a security risk?

  • Let´s say a “bad file” is marked as clean inside of the cache
  • New definitions get loaded that “know” that the “bad file” should get detected
  • Will it get detected then?

 

Yes, this is the whole point of rescanning the cache again - to check it with the newest definition set that may include the signatures that weren't available with previous definitions - this may as well detect threats in files previously marked as clean anc cached.

Zebbelin's picture

Thanks for your answer!

Shared Insight Cache only works for scheduled scans and not for auto protect scans right? Will Shared Insight Cache work for the “Rescan cache when new definitions load” ?

Is there a way that SEP “forgets” the cache when new definitions arrive and does not rescan it?

SebastianZ's picture

1. "Is there a way that SEP “forgets” the cache when new definitions arrive and does not rescan it?"

...well this is controlled exactly by the option you have already mentioned - "Rescan cache when new definitions arrive" - if you disabled it you will disabled basically the cache rescans.

 

2. "Shared Insight Cache only works for scheduled scans and not for auto protect scans right? Will Shared Insight Cache work for the “Rescan cache when new definitions load” ?"

As per documentation:

NOTE: Shared Insight Cache is only available for the clients that perform scheduled scans and manual scans.

Rescan cache when new definitions load - is a setting of Autoprotect on the other hand.

Rafeeq's picture

It will rescan from the above link

 

File System Auto-Protect rescans the files in the following situations:

  • The client computer downloads new definitions.

For Share insight cache

 

How Shared Insight Cache works

http://www.symantec.com/business/support/index?page=content&id=HOWTO55318#v49770729