Endpoint Protection

When I run a scan, "ccSvcHst.exe" will cause many I/O read bytes. and which is no wonder.

But I notice that sometimes "system" will cause many I/O read bytes, and I look through "system" to see which module of thread makes this happen.

and then I get the result, it is SRTSP.

since i've already cancelled all auto-scans (only except every friday) from SEPM, so at ordinary times, my SEP will not run any scans.

but it seems that "ccSvcHst.exe" won't do this but SRTSP is not under managed.  SRTSP will scan my non system partitions which I do not make any access to.

so my question is how SRTSP works?  Can I control the behavior of it? It drive me mad everyday when I am using my PC, and it runs and then it cause my hard drive running busily, I can hardly do any operations to my PC during these times.

so if there someone can explain how does SRTSP work?

thanks in advance.

SRTSP is used by autoprotect. Whenever you access, copy, save, move, open or close a file, Auto-Protect scans the file to ensure that a threat has not attached itself. This is the real time scanning portion of the product, which you can change the behavior of via policy in the SEPM. I highly recommend not turning this feature off as it is a important part of the product.

I know whenever I  access, copy, save, move, open or close a file, auto-protect scans will run.

but I keep many documents and softwares backup in my non-system partitions, SRTSP will scan those files again and again but I am sure that I didn't make any access to them. can you explain why?

And you mention that i can control the behavior of SRTSP?  I have turn off start-up scan and new-defination-arrived scan,only run scan every friday. but SRTSP still works when i do nothing to my PC. why?

You can run a tool such as procmon to see everything that is being accessed on your system, you will notice that even at idle there is a lot going on in your system.

Turning off start-up scans and new definitions arrived scans are both options under administrator defined scans in the SEPM, not autoprotect. The section to change autoprotect functions is under the section Auto-Protect.

You say that it keeps scanning files on your non-system partitions over and over again, how do you know it is scanning those files?

If you want to log exactly what files auto-protect is scanning you can enable vpdebug by following the doc below.

http://www.symantec.com/docs/TECH103126

I 've already used process monitor to track.

I agreed with you that administrator defined scans differ from autoprotect.

when I run a scan manually, "ccSvcHst.exe" will cause many disk I/O read bytes.

but when autoprotect(SRTSP?) is scanning my non-system partitions,  "system" will cause many disk I/O read bytes.

and i check for autoprotect settings, and the only one i think related to my issue is "files high-speed cache".

I notice that there is a setting "scan high-speed cache when new definitions arrived".

since I start up my PC ervery day, and autoprotect will scan my non-system partitions after a few minutes. so I think maybe the setting metioned above that make this happen. after this, i reboot my PC, and nothing will happen.

but I read the explanation about "high-speed cache", it says autoprotect won't scan those files were scanned before and marked as clean ones. so why does autoprotect scan those files again and again?

I can see which files from SEP clients main control panel by viewing "file system autoprotect summary".

now I've already reinstalled my SEP clients. because i run SEP_SupportTool and got some errors.

today morning, I noticed that "system" still caused many disk I/O read bytes. but at that time I am away from my PC, so I can not track if the issue still exists.

and enable debug only can capture On-demand or scheduled scans. I think it won't log autoprotect scan.

I will keep watching of my PC, and I will try to disable/enable the setting "scan high-speed cache when new definitions arrived", to see it does relate to my issue.

thanks for your Info.

finally, I get the result, "scan high-speed cache when new definitions arrived", if i disable this feature, everything is ok.

and i get the explanation for Symatec: every volume will cache 10,000 files, by default, when new definistions arrived, this cache will be scanned again.