Video Screencast Help

High memory usage by RTVSCAN.EXE

Created: 04 Nov 2012 | 4 comments

High memory usage by RTVSCAN.EXE for SEP version 11.0.7200.1147, the target systems are up-to-date with windows OS patches and SEP virus def

applied WindowsXP-KB959658-x86-ENU.exe and WindowsXP-KB2616676-v2-x86-ENU.exe patches also as suggested by some forums as a possibility memory leak, still no solution

Comments 4 CommentsJump to latest comment

Simpson Homer's picture

There is a hotfix available from Microsoft that addresses this memory leak in crypt32.dll. See the following Microsoft technical article: ("A memory leak problem occurs when you run an application that uses the HttpSendRequest function of the WinHTTP API or of the WinINet API to send Secure Sockets Layer requests in Windows XP Service Pack 3"). 

This hotfix is only for customers experiencing this issue and is available from Microsoft by request only. Please discuss the ramifications with Microsoft before deciding to deploy this hotfix. Other updates may be applied to crypt32.dll, but the hotfix in KB959658 will enforce an older developmental branch. You can even apply updates and this hotfix in any order, and you will still wind up with a hotfixed DLL. This may cause some confusion because the version differences aren't readily apparent. For example, if the update in KB2616676 has already been applied, crypt32.dll version will be 5.131.2600.6149 and applying the hotfix in KB959658 and rebooting, this version number is the same. To see the difference, you must go to the file properties version tab for crypt32.dll and highlight "File Version" to see more versioning details. For example:

Hotfixed: 5.131.2600.6149 (xpsp3_sp3_qfe.110906-1620)

No Hotfix: 5.131.2600.6149 (xpsp3_sp3_gdr.110906-1620)

As an alternative to applying the Microsoft hotfix, you may do one of the following:

  • In the Symantec Endpoint Protection TruScan settings, disable the "Scan new processes immediately" option to slow the leak. To further slow the leak, increase the TruScan interval (default is 1 hour). 

    Monitor rtvscan.exe memory usage on the Endpoint Protection client. If it goes above 300MB then restart the rtvscan.exe service (the "Symantec Endpoint Protection" service) . No reboot should be necessary. After monitoring memory usage you may identify an hourly interval at which you can schedule a service restart.

  • Or, remove the Proactive Threat Protection component of the Endpoint Protection Client.
  • Or, remove the DigiNotar patch:
Karvy Central IT's picture

Dear Simpson

i had applied 2 patches for MEMORY LEAK issue (WindowsXP-KB959658-x86-ENU and WindowsXP-KB2616676-v2-x86-ENU) but of no use

removed PTP and NTP also, still the same problem

i have observed one common character on the affected machines - Outlook PST files amounting to 15+gb, lots of shared folder access over the network (application)

though that entire department is using the common shared network drive for application, other users didnt have that huse PST files

can this be a reason?


Simpson Homer's picture

Hello Karvy,

It could be one of the reasons, I cannot assure you though without proper findings.

I would suggest you to get a case opened with technical support and allow them to investigate this further and collect the necessary info and logs.

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000

India: Toll-Free 000 800 4401 456 directly

IDD call: +61 2 8220 7111

Additional contact numbers:

Customer Care Contact Numbers for Licensing Issues:-

How to create a new case in MySupport