Endpoint Protection

I've been noticing really high winlogon i/o read bytes in the multi-gigabyte range.  In troubleshooting a range of programs and services, the culprit is the "Proactive Threat Protection".  As a test I uninstalled proactive threat protection and the i/o read bytes fell to the mb range. 

What are my options?  Obviously my policy will just reinstall Proactive and I don't really want to turn it off. 

This looks like a tuning question more than anything else. 


We are set on the defaults  of "scan frequency" symantec default.  I didn't set this up so it looks like the rest of the settings are default also.

The main symptom from my engineering users is this HIGH read/ i/o really slows down the workstation, creates constant hard drive activity and in general is making my engineering users life miserable.

Do you have the option to scan new processes when they start?  I would recommend testing with that setting disabled.

Is there a particular process that is taking up a lot of CPU?  Anything in the system or threat log for Proactive Threat Protection?

sandra

Seems like PTP is scanning the files.

set the scan only when a file is modified, check if that goes down.

policies - antivirus and antispyware - file system autoprotect-
advance scanning and monitoring.
check only when file is modified.

go to policies
true scan proactive threat scan
in the scannign frequency, put a time which would be similar to your weekly scan..
first check if that goes down.

RTVSCAN consumes a high amount of cpu when it's scanning.  What executable runs PTO?

Part of the difficulty is I'm inheriting a corporate policy.  I've already written a memo to the Security person at our home office strongly suggesting I not inherit their settings so I can control this locally.

We write a lot of software so files (unlike the average user) change very frequently. 

When I uninstalled PTP the problem went away.  i.e. I'd say that's the culprit.

What I think might be happening is that PTP is interacting with something on the system that it is scanning repeatedly, which (naturally) uninstalling PTP would stop the scanning from happening.  How many machines do you see affected by this?  Do you use a lot of custom (homegrown) applications?  I would suggest whitelisting these processes (via Centralized Exception - Add - TruScan Proactive Threat Scan Exceptions) and see if this issue goes away.

COH32.exe is related to PTP.  You may see more than one of these processes running along with RTVSCAN.exe.

sandra

I don't believe that the File System Auto-Protect settings will affect the scanning frequency of PTP.  They are scanning different things.

sandra

What is PTP scanning then? 

"AntiVirus and AntiSpyware scans rely mostly on signatures to detect known threats.  Proactive threat scans use heuristics to detect unknown threats.  The Heuristic process scan analyzes the behavior of an application or a process." 

-- from Title: 'Symantec Endpoint Protection: About Proactive Threat Protection.'
Document ID: 2007102515015148
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007102515015148

Some additional comparisons:

Title: 'Protections provided by Symantec Security Products'
Document ID: 2008091810022648
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008091810022648

sandra

How would you whitelist a specific process.  The procedure is less than clear.  We have a ton of homegrown files so how could I get them excepted by PTP?   Oh and I see all of our machines in our software group affected.  This is in many ways significantly slowing down their processes due to what appears to be PTP's incredibly aggressive nature.