Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Mac SEP client utilizing high amount of memory

Created: 09 Oct 2012 • Updated: 23 Jan 2013 | 6 comments
This issue has been solved. See solution.

I am in the process of deploying SEP 12.1 RU1 MP1 to my organization. In my organization I have a variety of Mac clients ranging from OS X 10.4 to OS X 10.8. I have been noticing the clients running slow and checked Activity Monitor. Activity Monitor showed the navx and SymAutoProtect processes using a lot of memory. The machine I tested on was a Intel iMac with 2GB RAM running SEP 12.1. I have attached a screenshot of Activity Monitor. I then decided to test SEP 11 RU7 and I tested it on a MacBook with 4GB RAM running SEP 12.1. Activity Monitor showed the same results (see second screenshot). Has anyone noticed this before? Thank you.

Comments 6 CommentsJump to latest comment

bspore's picture

I should mention the navx process is not the issue since it is a multithreaded application with a low priority.

.Brian's picture

Are these specialized machines? Any idea what they might be doing to constantly trigger AP?

Perhaps exceptions may be needed. Centralized exceptions can be added for areas with high file activity:

How to create a Security Risk Exception for a Mac client from the Symantec Endpoint Protection Manager (SEPM)

http://www.symantec.com/docs/TECH131707

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandra.g's picture

Navx (the 'command line/scheduled scan' scan engine) shouldn't be running constantly, nor should AutoProtect. When are your scans scheduled to run, and are there a lot of compressed files on these machines? What function do your Macs have? A lot of file transfers?

High CPU Usage on Symantec Endpoint Protection for Macintosh clients with NAVX process
http://www.symantec.com/docs/TECH140574

Might want to turn off scanning of compressed files, especially if using disk encryption. Any potential malicious content inside a compressed file will be snagged by AutoProtect when the file is unarchived.

Symantec AntiVirus and Endpoint Protection for Macintosh: How to Disable Scanning of Compressed Archives
http://www.symantec.com/docs/TECH106231

The exclusions/exceptions Brian81 noted above will only work for AutoProtect.

Edit: you did say memory, not CPU. Duh. smiley Anyway, they should not, to my knowledge, even be running unless they are doing something (a scan, either scheduled or real-time).

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

SOLUTION
bspore's picture

Scans are scheduled to run every Monday at 8 pm and LiveUpdate is scheduled to run every 4 hours. The Macs are used primarily for word processing and Internet, not a whole lot of file transfers. I have disabled scanning of compressed files to see if that helps. I monitor the performance and see if there is a change. Thank you.

bpcruz's picture

Hello,

I work in the same company as bspore and have also been monitoring this issue from the client end.

Even with scanning of compressed files disabled (see the bottom of this post for the contents of /var/root/Library/Preferences/com.symantec.autoprotect.plist), the process still starts automatically at boot (because it resides in /Library/StartupItems) and remains running as long as the computer is turned on. While it is running, SymAutoProtect does not appear to show any significant CPU activity (Activity Monitor normally shows 0.0% CPU usage, though it occasionally increases to 0.1 or 0.2% for a second or two) but still uses roughly 400MB of real memory the entire time, which can create performance issues for those Macs that only have 1GB of RAM installed.

The real memory usage of SymAutoProtect, navx, and other Symantec processes (including the SEP client's GUI app) is commensurate with the size of the scan engine in /Library/Application Support/Symantec/AntiVirus/Engine. In particular, there is one file within that directory, VIRSCAN7.DAT (which I assume contains most of the virus signatures the SEP client uses to detect threats), that is 315.6MB large and constitutes much of the 415MB engine directory. 

After initially installing the SEP client on a machine, this file is nearly half its current size. It increases dramatically, though, after I update SEP's virus definitions via LiveUpdate or by deploying the latest definitions package from Symantec's website.  

As an experiment, I trashed VIRSCAN7.DAT (thus reducing the engine size to only 99MB) and restarted the SymAutoProtect process. That process, as well as others such as navx and the SEP GUI app, now only used about 80-94MB of memory. When I put VIRSCAN7.DAT back into its original directory and restarted the process again, it returned to using 400MB of RAM. 

So it appears that each SEP-related process loads all virus signatures into memory as long as they are running. Is this expected behavior, or is there something we can configure to cause these processes to use less memory? We still have a few hundred Macs in our school district with only 1GB of RAM installed and are trying our best not to overly hinder the user experience on these machines.

Thank you,

Brandon

--------------------------------

{

    AllowUserChanges = 0;

    AutoProtectOn = 1;

    AutoProtectRepairOn = 1;

    AutoQuarantineOn = 1;

    ClientModeEnabled = 0;

    CustomVirusAlert = "Scan type: ~L Scan\\nEvent: ~E\\nSecurity risk detected: ~V\\nFile: ~P\\nLocation: ~C\\nComputer: ~S\\nUser: ~N\\nAction taken: ~A\\nDate found: ~T";

    Dash9000Done = 1;

    DisplayMessage = 1;

    MountScanOn = 1;

    SZUpdateCount = 28;

    SafeZoneType = 0;

    ScanAllDisksOn = 0;

    ScanAudioCDs = 0;

    ScanCompressedOn = 0;

    ScanIPods = 1;

    ScanOtherCDs = 1;

    ScanOtherDVDs = 1;

    ScanOtherDisks = 1;

    ScanVideoCDs = 0;

    ScanVideoDVDs = 0;

    ShowMountProgOn = 1;

}

 
anand sankruthi's picture

There is nothing that can be configured for the processes to use less memory. But, the processes use about 400 MB of virtual memory, not the physical one. And its only the AutoProtect that's running all the time, with average CPU < 0.5% . Should be ok to run even with systems having 1GB RAM.

You may find the system going sluggish if navx runs, such as during a scan schedule. It is advisable to schedule that during night when no one's at the system. And if you want to run a manual scan from UI, be aware of the folder/disk you are scanning. The bigger the size of the folder or disk, the more time it takes to scan