Endpoint Protection

We recently installed the 12.1 version of sav for linux on 3 machines , now on 1 machine it works suberb

but on the other rtvscand consumes like 95% of the cpu and starts to slow the server down for any http requests (apache is installed on it)

anyone got an idea how to solve this problem?

Exclude the mapped network drives from scheduled scans on SEP clients. Instead, perform scheduled scans on these drives from the server to which they are attached.

There are no network drives mapped on our server, so the problem must be something else ... we even tried to install a newer version without success

I have a feeling it struggles on our mysql server (which is ofc accessed by other servers)

Hi Tim,

That might be the case--- have you tried creating exclusions for SAVFL so that its scannign processes do not interact at all with those mysql files? 

Here is an article with more information....

SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide

https://www-secure.symantec.com/connect/articles/sav-linux-scanning-best-practices-somewhat-illustrated-guide

 Hope this helps- please do update this thread with your progress when time allows.

Hi Mick,

Thanks for the advice, setting the exclusions with

symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v HaveExceptionDirs -d 1 -t REG_DWORD

symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /path/to/mysql -d 1 -t REG_DWORD

did the trick!

Excellent!  Glad to help, Tim!  &: )

Definitely do make sure that all Linux (and Mac) machines are well defended- there have been a number of threats discovered recently which can exploit vulnerabilities on multiple OS's.

https://www-secure.symantec.com/connect/blogs/exploitation-java-vulnerabilities

https://www-secure.symantec.com/connect/blogs/cve-2012-1535-adobe-flash-player-vulnerability-exploited-multiple-emails

https://www-secure.symantec.com/connect/blogs/cyber-secret-agents-sale