Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP 100% disk activity

Created: 30 Sep 2013 • Updated: 30 Sep 2013 | 15 comments

Hi,

I have one of my user who is complaining because his hard disk reaches 100 % of activity during 5 minutes every hour.

The processor is not impacted.

We deteced that SEP is the source of the problem. When we use cleanwipe in order to uninstall SEP the problem disapears. When we decide to re-install SEP the problem comes back.

SEP version is : 11.0.7000.975

System : W7 Enterprise

Debug mode shows nothing unnatural.   

No problem for others computers (which use the same version of Windows and SEP).

What can I do?

Operating Systems:

Comments 15 CommentsJump to latest comment

James007's picture

What process is taking up the High utilization ?

It's managed sep client or Unmanged client ?

Ambesh_444's picture

Hello,

Please install latest version of sep, which is 12.1.3. and check

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

Rafeeq's picture

Install version 12.1.3 and check the utilization.  

if you have any files in quarantine please delete those and check the utilization

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

Do you see any error in the eventviewer during those 5 minutes?

Take the help of Process Monitor tool:

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Run the Symantec Help (SymHelp), this tool may give important info.

http://www.symantec.com/docs/TECH170752

Meanwhile run SymDeltmps utility and check the peroformance.

The "SymDelTmps" utility is only for removing temporary files, and "zero byte.dax" files. It also zips any ".err" files found and deletes the original ".err" files related to supported Symantec Antivirus and Symantec Endpoint Protection products. To obtain "SymDelTmps.exe", contact Symantec Technical support at:
http://www.symantec.com/business/support/index.jsp

Reference: http://www.symantec.com/docs/TECH105050

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Richou's picture

James007 My problem impacting the hard disk, not the processor. It's a managed client. 

Ambesh_444 - Rafeeq I'm waiting the authorization to install the lastest version of SEP. No file in quarantine.

Chetan Savade Nothing found in eventviewer. No problem found with SymHelp. For SymDeltmps, i'm waiting a response from my administrator to check if he has this tool or if i need to make the request.

I will let you know what's happen next.

Beppe's picture

My problem impacting the hard disk, not the processor. It's a managed client.

Yet, the disk usage is caused by a process... or not?

Regards,

Giuseppe

.Brian's picture

Has this been resolved or do you need further assitance?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Richou's picture

Sorry for the late, my problem is not solved.

I will test to uninstall DLO, maybe it is in conflict with SEP but i'm not convinced because the problem appeared overnight.

I will post a capture from the Process Monitor when the problem appears.  

.Brian's picture

Sounds good. keep us posted.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Beppe's picture

Hello,

it might be interesting to know which process is highly using the disk, did you find it?

Regards,

Giuseppe

Richou's picture

Please, see attached captures. (it's impossible to run snippingtool.exe during the problem so I toke them with my iPhone)

I noticed COH64.EXE (that you can see on the photo number 4) has been automatically started just before the high activity and was closed just after.

Thanks,

photo 1.JPG photo 2.JPG photo 3.JPG photo 4.JPG photo 5.JPG
.Brian's picture

COH64.exe is part of the Proactive Threat Protection (PTP) component.

Do you have it configured to scan new processes?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Richou's picture

Scan new processes is not activated

Capture.PNG
Richou's picture

I killed remotely COH64.EXE (during the high activity) and the problem disappeared in the minute.

I decided to rename COH64.EXE, one hour later (the moment supposed of the high activity) the end point protection icon turned in red, I clicked on it and the soft asked me to finalize the installation... In fact he has created the COH64.EXE 

What can I do?

.Brian's picture

This is TruScan (Proactive Threat Protection). If you're having this much trouble I would suggest disabling for the time being. Don't try to change the name as you will just cause corruption of the client.

Also, make sure you're on the latest version, 11 RU7 MP3. You're on an old version.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.