Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

PC slow down due to unknown Antivirs activity with great impact on hdd disk performance

Created: 02 Aug 2013 | 52 comments

Hello,

 

We are using Symantec Endpoint Protection version 12.1.3001.165 - English and Symantec Endpoint Protection version 12.1.2015.2015 - English

Affected OS: Windows 7 and Windows 8, 32 and 64 bit

Problem is that several times per day on may PCs disk queue is reaching 5-10. PC starts to work very slowly. Windows performace monitor shows, that a lot of files are accessed and read simultaneously by system process. After Antivirus deletion everything starts to work good. This activity is not displayed in any logs files on SEP client or SEP management server.

 

This started after Antivirus upgrade from 11 to 12 version. Please help me to resolve this issue

 

Thank you in advance

Dima Reznikov

Operating Systems:

Comments 52 CommentsJump to latest comment

.Brian's picture

Is this a managed or unmanaged client?

What process is taking up the CPU when this occurs?

What components do you have installed?

Do you have the option checked for "Run an Active Scan when definitions arrive" in the AV policy?

Startup Scans configured?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Dmitriy.Reznikov's picture

It is "System" process

The problem is reproduced with these components:

 Virus, Spyware, and Basic Download Protection; Microsoft Outlook Scanner

 Virus, Spyware, and Basic Download Protection; Microsoft Outlook Scanner; Advanced Download Protection; Proactive Threat Protection; SONAR Protection; Application and Device Control; Network Threat Protection; Firewall; Intrusiton Protection;

.Brian's picture

So is this constant or can you manually reproduce or does a scan appear to be taking place?

If a scan was taking place, you should see more CPU utilisation by the ccSvcHst.exe process.

Has the machine had any problems with viruses, meaning, is it virus free? Is anything appearing in the Risk or Security log? How about the Traffic log? Any unusual traffic being detected?

Is only one PC affected by this?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Dmitriy.Reznikov's picture

I cannot manually reproduce it, but usually it is during system start up and launch time.

CPU utilisation is low. According to client logs and management server logs no any scan is performed during this time.

I think it is virus free. Nothing appearing in any logs. I didn't check traffic.

About 50 PCs affected.

 

I attached screenshot from Win8 when problem is active. Average problem duration is 15-30minutes.

 

antivirus.PNG
Ashish-Sharma's picture

hi,

You can Disabled startup scan process when you will startup your computer.

How to disable/enable Startup and Quick Scans within the Symantec Endpoint Protection Manager

 

Article:TECH103044 | Created: 2007-01-06 | Updated: 2007-01-08 | Article URL http://www.symantec.com/docs/TECH103044

 

Thanks In Advance

Ashish Sharma

 

 

Dmitriy.Reznikov's picture

Hi,

 

Thank you for fast reply,

It was disabled earlier and it is disabled now.

 

Dima

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

When PCs disk queue is reaching 5-10 & it starts to work very slow, examine the Windows System and Application Event Logs for the said period.

You mentioned 'After Antivirus deletion everything starts to work good', where do you see that?

Windows' User Environmnet log (C:\WINDOWS\Debug\UserMode\userenv.log) is an excellent source of information about slow boot-ups, group policy application and profile loading

Where enabling Userenv logging is necessary to see exactly what is happening with group policy and profile loading.... One thing to remember is that if the logging is not enabled then do not try and interpret the log since very minimal logging is enabled by default!" (http://www.ditii.com/2008/11/12/how-to-read-a-userenv-log-in-vista-or-windows-server-2008-part-1/ ) Debug info for non-Vista: 221833 How to enable user environment debug logging in retail builds of Windows http://support.microsoft.com/kb/221833

Understanding How to Read a Userenv Log – Part 1 http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Understanding How to Read a Userenv Log – Part 2 http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
Interpreting Userenv log files http://technet.microsoft.com/en-us/library/cc786775(WS.10).aspx

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Dmitriy.Reznikov's picture

Hi,

 

After deletion disk queue immideately drop down and everything starting to work good. Also we made test during 1 week without Antivirus on several PCs and there was no signle case of such slowness.

 

Do you expect me to configure and check Userenv logging and post the results here?

 

Dima

Chetan Savade's picture

Yes, you can attach logs here.

First upgrade test machines to the latest version of SEP.

It's always recommended to have SEPM and SEP clients on the same version.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

sandra.g's picture

You mentioned 'After Antivirus deletion everything starts to work good', where do you see that?

I think he means after he uninstalls SEP. (I'm sure he will correct me if I am wrong. smiley)

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

hforman's picture

The 2015 version MAY have TEEFER (firewall) issues that slow performance way down.  I would suggest seeing if this issue is mostly with the 2015 clients and, if so, uprade them to 12.1.RU3.  Other solution is to temporarily turn off the firewall.

Dmitriy.Reznikov's picture

Chetan,

The links you provided about Userenv logging are not for Windows 7. We have problem on PCs with Windows 7. Please suggest what to do.

Dima

Dmitriy.Reznikov's picture

Also there is almost no any network activity during this time. I attached screenshots from Resource Monitor.

overview.PNG disk.PNG cpu.PNG memory.PNG network.PNG
Chetan Savade's picture

Hello,

I do apologise for the late reply.

I would suggest to log a case with Support.

How to create a new case in MySupport

http://www.symantec.com/docs/TECH58873

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

hforman's picture

As I suggested earlier, please try turning off the Firewall on one or two machines.  Best is by ADD/REMOVE Programs and then click to "Change".  See if that makes a difference.  This only affects 12.1 RU2 MP1 though, if that is what byou are using.

Dmitriy.Reznikov's picture

Hforman,

Do you mean SEP firewall or Windows firewall? If you mean SEP firewall, then the problem is reproduced without it.

Dima

hforman's picture

You should not be running both Firewalls.  I mean the SEP firewall, in this case.  Usually, SEP turns off Windows firewall.

 

I'm specifically referring to the TEEFER driver that SEP installs.  If you are not running the SEP firewall (i.e., not installed), then please accept my apologies.

BlackLab's picture

I am experiencing much the same issue in Windows Vista.  Product is SEP 11.0.5002.333

Every few hours, system operation slows to near full halt, hard drive light shows disk thrashing.  All internet activity is effectively halted, and any Adobe Flash applications crash  The following two processes are showing active in Windows Task Manager:
 
LuComServer_3_3.EXE
LuCallbackProxy.exe
 
Killing these two processes restores full functionality.  Of course, then I get the "Tamper Alert" pop-up.
 
I have tried adjusting the LiveUpdate settings, to the VERY limited extent allowed by the SEP interface, to no avail.  Common sense would dictate that having SEP "phone home" every few hours and bringing machine productivity to a halt would be very poor design.  Optimal design should be able to detect active system use and delay the LiveUpdate processes to a time when the machine is idle.
BlackLab's picture

This nonsense is degrading my system performance to the point that I'm ready to uninstall and try MacAffee.

 

Intel Core Duo T2450 2Ghz, 1GB RAM, Vista 32-bit

Chetan Savade's picture

Hi,

SEP RU5 was released in Sep 2009.

In your case I would suggest to install the latest version of SEP i.e. SEP 11 RU7 MP3.

SEP release details are available here: https://www-secure.symantec.com/connect/articles/what-are-symantec-endpoint-protection-sep-versions-released-officially

Hardware configuration is OK. However to check if the computer in question meets the system requirements for Symantec Endpoint Protection, download and run a pre-install check with Symantec Help (SymHelp).

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

BlackLab's picture

I tried an updated version on my XP desktop last fall; it corrupted the SEP install so badly I had to remove it and fall back to the previous version I was running.  I'm hesitant to mess up my working system as well, which is far more advanced.  Considering my workplace has yet to migrate from XP, hardware/software should not be an issue in that case.  Is there a list of software that conflicts with SEP?

I'm still concerned that a background process like SEP should be such a high-demand drag on system resources.

Chetan Savade's picture

Hi,

I don't have any list of software that conflicts with SEP.

I would suggest to contact Support to find out possible root cause for degrade in System performance.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

BlackLab's picture

Besides the two Live Update Callback processes, the Sonar Component (COH32.exe) also seriously degrades performance.  It appears to activate every time a new web page is opened.  I've only had to kill these processes 30 times today in order to be able to use my system.  This should not be considered normal performance.  

Interl@ce's picture

Not trying to offend you here, but complaining about performance-issues on a mobile system with only 1GB of RAM is kind of redundant. We're having issues on quadcore workstations with 8GB+ of memory, so at least we know for sure it isn't a factor but with that extremely tight amount of memory you shouldn't be surprised if your system is performing subpar or swapping excessively; it's practically guaranteed.

BlackLab's picture

Sorry I don't have the resources to own a Cray supercomputer; I guess you're so much more important.  The heck with us users who don't run out to buy the latest gadgets.

If you bothered to read the whole thread, you'd see I'm not the only person afflicted by this performance issue.  I don't consider 1GB to be "extremely tight", not for the applications on my machine; it's quite sufficient, and the only thing causing memory issues or drive thrashing is the SEP subprocesses.  And having one process bring the entire machine to a complete standstill every couple of hours is just unacceptable.  No antivirus/firewall program should be causing more actual denial of service than an actual virus.

Chetan Savade's picture

Hi,

Make sure SONAR is configured correctly.

About SONAR

http://www.symantec.com/business/support/index?page=content&id=HOWTO55254

Managing SONAR

http://www.symantec.com/business/support/index?page=content&id=HOWTO55215

Adjusting SONAR settings on your client computers

http://www.symantec.com/docs/HOWTO55258 

You should also check download insight settings.

Customizing Download Insight settings

http://www.symantec.com/docs/HOWTO55253

Managing Download Insight detections

http://www.symantec.com/docs/HOWTO55252

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Interl@ce's picture
We seem to be experiencing a similar problem since SEP 12 (still going on with 12.1.3) that's been annoying our fellow admins and users (~3500) for awhile now...
 
The System-process accumulates a massive amount of read I/O (anywhere from 10-100GB in a workday), about 80 percent of people affected aren't bothered by or notice it but those that do have systems that are almost completely bogged down and unresponsive when the activity kicks in. The slowdown mostly happens a few minutes after login and somewhere later on in the day, most likely after getting the latest definitions. An "SMC -Stop" immediately resolves the issue.

Like the topic starter, we upgraded from 11.x to 12, after which we started noticing more and more performance complaints. Already tried using CleanWipe to remove all traces of the upgraded client, and completely reïnstalling the latest package from scratch. Also newly deployed systems exhibit these symptoms. Our SEPM-server is up to date. We mostly use Windows 7 x64 SP1 as our baseline OS with the 64-bit client, but can't say for sure if 32-bit XP systems are also affected since we're in the process of migrating those to 7.
 

It seems like a full scan is performed everytime defs are updated, except that besides a single full scan once a month, there are no configured scheduled scans. Also no status window appears after enabling it and people that are having this issue experience it every single day so that just can't be it. We've tried disabling file cache and rescanning the cache to no avail. There is no significant cpu-activity increase, but disk activity rises to 100% which is sustained until it drops off suddenly.  Maybe it's an interaction problem with a different process or service but again, disabling SEP resolves it immediately.
 
With sysinternals process explorer as well as performance logging we haven't been able to identify the cause. Any help or advice would be greatly appreciated. We hope there are admins out there who dealt with the same issue in their organization and happened to come across the solution.
Chetan Savade's picture

Hi,

Can you disable scan when new definitions arrives?

- Login to SEPM.

- Goto Policies > Virus and Spyware Policy > Edit Virus and Spyware Policy which is applied on affected client machine.

- Goto Administrator-Defined Scans > Advanced Tab

- Uncheck option for "Run Active scan when new definitions arrrive"

Goto Auto Protect > Click on "Advanced Scanning and Monitoring" Button.

Select Option for "Scan when a file is modified".

Click on OK to save Policy,

Make sure thaty Policy has been updated on client and try one more time.

Refer this thread: http://www.symantec.com/connect/forums/slow-application-performance

Other helpful articles:

Best practices to improve low performance. 

http://www.symantec.com/docs/HOWTO55872 

Adjusting scans to improve computer performance
 

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

evcass's picture

I have the same problem, running SEP 12.1.2100.2093 as an unmanaged client. I have an SSD and 8GB of RAM on my laptop and I would randomly notice sluggishness while working, only to see my SSD light practically solid. I look in Task Manager and see the System process being the culprit. I open Process Explorer and look at the properties of the System process to find that it is the SRTSP64.sys driver which is causing the issue for me.

Googling that driver indicated it was the Symantec AutoProtect feature. I turned that feature off today, but it basically says that now SEP is disabled because of three reasons:

1) File System Auto-Protect is disabled.

2) Download Insight is not functioning properly due to the File System AutoProtect status.

3) Proactive Threat Protection is not functioning correctly due to the File System AutoProtect status.

Has this been fixed in a later build?

hforman's picture

I would strongly suggest replacing RU2 with RU3.  See if that does anything for you.

Chetan Savade's picture

Hi,

I reviewed SEP 12.1 RU3 fix notes and I don't see any specific fix.

New fixes and features in Symantec Endpoint Protection 12.1.3

http://www.symantec.com/docs/TECH206828 

Do you see sluggishness during any specific time especially after new definitions arrival?

Have you checked event viewer logs during that period?

SEP 12.1.3001.165 is the latest SEP version.

Also check this article if it's related in your case.

Computer performance slow when right-clicking on packed file with unmanaged SEP client installed

http://www.symantec.com/docs/TECH92648 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

evcass's picture

I installed RU3 and will monitor for a week. Previously it seemed as if I could cause the problem by toggling AutoProtect off and then back on but I can't duplicate that behavior at this time.

Article 92648 doesn't match my scenario and I didn't review the event logs at the prior times. I'll keep it in mind if I see it again.

Interl@ce's picture

Hi,

Please check my topic here;

http://www.symantec.com/connect/forums/sep-1213-extreme-read-io-activity-slows-clients-down

Same exact issue, definetely SEP-related. 2nd support case opened right now, as of yet we don't have a solution but there might be some useful information and advice there for you.

evcass's picture

The issue happened again with RU3, although I didn't catch it at the beginning to determine the length of the impact.

SRT-RU3.JPG

Interl@ce's picture

I'll bet it feels like a full scan is run right after definitions are updated; is there anything out of the ordinary when you check 'view logs' > 'client management' > 'view logs' button > 'system logs' ?

Have you tried the SymRmvScan-tool yet? If you open a case Support will send it right to you. It removes hidden scans as well as admin- and user-defined scans applicable to other user account on a system.

cus000's picture

Best bet is to open Support Case....

well i guess it can be quite lengthy at time as Support will try to check step by step  (each issue could be due to different root case)

evcass's picture

I performed a manual LiveUpdate just now, and as soon as processing had completed the SRTSP64.sys driver within System started consuming ~20% of the CPU. On my particular system this lasted 2m12s before it went back to normal.

I didn't see anything unusual in the SEP systemlogs. I didn't try the SymRmvScan-tool because I loathe talking to Symantec support. Have I overlooked a setting in the client which controls whether the system performs a scan immediately after a signature update?

Or might this be a hidden scan? But you already tried the tool and it didn't resolve your scenario, correct? I guess I'll try to get the tool.

evcass's picture

I opened case 5132689 with support and they called me back within a few minutes. Long story short, there is a workaround for managed clients but not for unmanaged clients. These are the steps he told me to perform on SEPM for managed clients, although we have to go through change management process to deploy the changes in our environment and this wouldn't occur until at least next week.

For reference, at the time of this writing our SEPM version is 12.1.2100.2093, and my unmanaged client is version 12.1.3001.165.

1) Policies > Virus and Spyware Protection. Find a policy which is in use (Location Use count is non-zero). Double-click the policy. Windows Settings > Scheduled Scans > Administrator-Defined Scans > Advanced Tab > Startup and Triggered Scans. Disable the ‘Run an Active Scan when new definitions arrive’ option. Click OK.

2) Now switch from the Windows Settings > Scheduled Scans > Administrator-Defined Scans area to the Windows Settings > Advanced Options > Quarantine. Set Quarantine to ‘Do Nothing’. Click OK.

3) Repeat steps 1-2 for any additional policies which may be in use.

4) Click Clients, then pick a group  > Policies > Location-independent Policies and Settings > Settings > Communications Settings > Download Randomization. Ensure that the ‘Enable Randomization’ is checked.Click OK. If the settings are grayed out, the settings are inherited from the parent container, keep going up the client tree until you find settings which aren't grayed out.

5) Repeat step 4 for any other groups where settings may be configured.

Although he provided me the link to download the SymRmvScan utility, and I did extract it, he advised it will have no effect on my concern.

 

 

 

 

hforman's picture

Something else to think about which may not be directly related to this case:  If you have your auto protect to scan on file access (or even on modification is some cases), you may want to check for processes that run in the background that "touch" a large number of files.  I remember one called DAGENT that did this.  If a program other than Symantec scans all of your files, it could cause auto protect to have to scan the file as well.  I also think about a file that is being moved or copied from one drive to another causing auto protect to read the file when it is being read as well as scanning on the other drive when it is being written out.  Fortunately, we don't have a lot of that here but it is something to look at in task manager.  That is, another process accessing a lot of files. 

Interl@ce's picture

I actually thought about this since we also use SCCM for software and hardware inventory and deployment. There are regular inventory scans that go through the disks but the SEP-related IO overload always starts exactly when new definitions are received. 

hotema's picture

I did all the steps from evcass except #2 and still have the similar problems as other users.  I completed #2 right now and will see if it aleviates our situation.

for #4, I also switched my clients to pull mode, and made the heartbeat interval higher to 1 hours, randomization window is at 4 hours now.  (my clients are in a virtual environment).  Advice greatly appreciated.  thanks!

hotema's picture

This is just the steps I did to recreate the problem.  This was just after the SEPM acquired the newest definitions and the client did not pull it yet.  The screenshots are basically the same.  It just shows how long the time passed with the disk being highly utilized.  thanks

AttachmentSize
syamntecdiskusage.doc 2.06 MB
dhruwal's picture

I have latest 12 RU4 (12.1.4013.4013) and i still have this problem.

Its the same issue with srtsp64.sys under system process (pid 4) reading endless number of files from all the drives making the disk usage 100% for almost 15 to 20 minutes till it itself decides to stop.

Just until today i noticed that when disks are at 100%, if i disable symantec, things gets better.

Any help would be appreciated.

Its Windows 8.1 64 Bit.

YaroslavM's picture

I had similar problem. But with Windows XP.

Did you tried to disable  "Rescan cache when new definitions load"?

 

  1. Open the Symantec Endpoint Protection Manager (SEPM) console
  2. Click on the Policies tab on the far left side
  3. Select  Virus and Spyware Protection Policy under the Policies column
  4. Select the policy in question under the  Virus and Spyware Protection Policies window. If you have not created a new policy, select the existing policy.
  5. In the middle column under Tasks, select Edit the Policy
  6. A new window will open.
  7. From the new window, there will be a menu on the left side, select Auto-Protect
  8. From the Auto-Protect window on the right side select the Advanced tab
  9. Click on the File Cache button
  10. Unselect "Rescan cache when new definitions load"
  11. Click OK

http://www.symantec.com/business/support/index?pag...

 

hotema's picture

Hi dhruwal, is this a virtual environment?  If it is, the solution for me was not to have all clients get the latest definitions all at the same time.  That would slow down the shared SAN greatly.

dhruwal's picture

Hello, No, this is a standalone desktop, and unmanaged client.

My Solution is a perfect working in past few days. Whenever this happens, i simply have to disable Endpoint protection, and within seconds everything is normal. and then i enable back on. This way 100% works for me till some fix comes out on why it scans in this manner making drives 100% busy and computer unusable.

Interlace84's picture

Have you upgraded to 12.1.4013 from a previous 12.1.3xxx client? If so I recommend obtaining the "CleanWipe" utility from Symantec tech support, use it to clean any client (and SEP policy) traces from your system, and reïnstall the latest version. 

KayEssEss's picture

Hello,

I am a "user" running an XP machine with SEP managed from our IT Department. I have been suffering from exactly the same problem for the last many many months and my problem is that I fail to convince our IT Staff  that this is really an issue for me. I dont have any proof that three hards disks at my machine when start to overload at least three times a day for me, I cannot do any of my work/job function . I use a lot of resource hungry applications to process my data to perform my job. So far, nothing has worked for me. Please somebody HELP me. I am really suffering a lot as this issue is taking hours of my productive time. I fgeel I will go crazy because they want me to adhere to deadlines and my machine is simply bodded down by this devilish application they call SEP. I cannot even uninstall this SEP. Even while I am writing these lines, my hard disks "thrashing" is going on.

Thanks in advance. 

YaroslavM's picture

>>running an XP machine

Ask tour IT department to switch off

Rescan cache when new definitions load

It is known problem for Windows XP

Interlace84's picture

Other than messing around with a lot of different options (like we had to do), upgrading to SEP client version 12.1.4013.4013 will resolve this issue for you. I suggest you ask your IT staff for a client update, referencing this topic. Please let us know how this works out for you.

If your endpoint-client is the cause of the trashing this will show itself in an abnormal amount of Read Bytes from the 'System'-process. When in task manager > Processes tab > View menu > 'Select Colums' > enable "IO Read Bytes" and "IO Write Bytes" and sort by Read Bytes. If, within a day, the System-process accumulates several GBs of reads, especially shortly after booting, you have your evidence.

KayEssEss's picture

Thank you YaroslaM and Interlace84 for your valuable opinions and remarks. My SEP Client is 12.1.4013.4013. I just checked ccSVCHst.exe has already accumulated 16.9GB.

Armed with this informaiton, I feel much confident to report this issue to our IT Department. Once agaiun, my profound thanks. I will report the progress tomorrow.