Endpoint Protection

Hi,

I have one of my user who is complaining because his hard disk reaches 100 % of activity during 5 minutes every hour.

The processor is not impacted.

We deteced that SEP is the source of the problem. When we use cleanwipe in order to uninstall SEP the problem disapears. When we decide to re-install SEP the problem comes back.

SEP version is : 11.0.7000.975

System : W7 Enterprise

Debug mode shows nothing unnatural.   

No problem for others computers (which use the same version of Windows and SEP).

What can I do?

What process is taking up the High utilization ?

It's managed sep client or Unmanged client ?

Hello,

Please install latest version of sep, which is 12.1.3. and check

Install version 12.1.3 and check the utilization.  

if you have any files in quarantine please delete those and check the utilization

Hi,

Thank you for posting in Symantec community.

Do you see any error in the eventviewer during those 5 minutes?

Take the help of Process Monitor tool:

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Run the Symantec Help (SymHelp), this tool may give important info.

http://www.symantec.com/docs/TECH170752

Meanwhile run SymDeltmps utility and check the peroformance.

The "SymDelTmps" utility is only for removing temporary files, and "zero byte.dax" files. It also zips any ".err" files found and deletes the original ".err" files related to supported Symantec Antivirus and Symantec Endpoint Protection products. To obtain "SymDelTmps.exe", contact Symantec Technical support at:
http://www.symantec.com/business/support/index.jsp

Reference: http://www.symantec.com/docs/TECH105050

James007 My problem impacting the hard disk, not the processor. It's a managed client. 

Ambesh_444 - Rafeeq I'm waiting the authorization to install the lastest version of SEP. No file in quarantine.

Chetan Savade Nothing found in eventviewer. No problem found with SymHelp. For SymDeltmps, i'm waiting a response from my administrator to check if he has this tool or if i need to make the request.

I will let you know what's happen next.

My problem impacting the hard disk, not the processor. It's a managed client.

Yet, the disk usage is caused by a process... or not?

Has this been resolved or do you need further assitance?

Sorry for the late, my problem is not solved.

I will test to uninstall DLO, maybe it is in conflict with SEP but i'm not convinced because the problem appeared overnight.

I will post a capture from the Process Monitor when the problem appears.  

Sounds good. keep us posted.

Hello,

it might be interesting to know which process is highly using the disk, did you find it?

Please, see attached captures. (it's impossible to run snippingtool.exe during the problem so I toke them with my iPhone)

I noticed COH64.EXE (that you can see on the photo number 4) has been automatically started just before the high activity and was closed just after.

Thanks,

COH64.exe is part of the Proactive Threat Protection (PTP) component.

Do you have it configured to scan new processes?

Scan new processes is not activated

I killed remotely COH64.EXE (during the high activity) and the problem disappeared in the minute.

I decided to rename COH64.EXE, one hour later (the moment supposed of the high activity) the end point protection icon turned in red, I clicked on it and the soft asked me to finalize the installation... In fact he has created the COH64.EXE 

What can I do?

This is TruScan (Proactive Threat Protection). If you're having this much trouble I would suggest disabling for the time being. Don't try to change the name as you will just cause corruption of the client.

Also, make sure you're on the latest version, 11 RU7 MP3. You're on an old version.