Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

SEP 12.1.2 - PC's very slow after first logon in morning

Created: 04 Jul 2013 | 10 comments

Have SEP 12.1.2 installed in managed mode from a SEP 12.1.2 Management server installation.

 

Have upgraded from SEP 11.0.6 which was removed completely and replaced with SEP 12.1.2 from scratch.

 

All seems to be working well except for when the users first login in the mornings, every morning... :-(

 

After logging in their PC's hard drives access like crazy for about 15 minutes and their PC's are very slow and unresponsive.

 

Looking at resource montior is appears that it is Symantec products that seem to be causing this.

 

I don't have any scans configured to run at login, not that I am aware orcan find.

 

If I uninstall SEP 12.1.2 from any PC's and run them for a couple of days then they are fine, no problems at all.

 

If I install SEP 12.1.2 in standalone mode then they also seem to be fine.

 

It only appears to be an issue when they are installed in managed mode.

 

What can I look for ? or check out to see what is causing this issue ?

 

Users complain that their PC's are practically unusable for ten to fifteen minutes when they first logon in the morning.

 

This goes for my own laptop too, Windows 7 x64 with 8GB RAM

 

This is very unproductive and not helping my case for upgrading to SEP 12.1.2 at all.

 

I see that SEP 12.1.3 is now out, is it worth going to the trouble of upgrading to this ?

 

 

Operating Systems:

Comments 10 CommentsJump to latest comment

SMLatCST's picture

First thought is to check out your Virus and SPywrae protection policy under Administrator Defined Scans -> Advanced and make sure the Active scan on user login check box is disabled

#EDIT#

ooops, make that "Allow startup scans to run when users log on" checkbox, ensure this is disabled.  Same for the "Run an Active Scan when new definitions arrive" for that matter.  Either option could be the cause of slowdown when user machines switch on in the morning.

AjinBabu's picture

Hi, 

Which process are toking CPU / RAM on top? And do you have any start up scan configured?

Have you unplug from network and check?

Regards

Ajin

GeoGeo's picture

Could be auto protect by default this is set in Anitvirus & Antispyware policy to load at computer start which will then scan all files accessed on the local machine causing a slow down. You can set this in the policy to when Symantec Endpoint Protection Starts. This should give you some improvement as usually symantec is the last service to start letting the other services start first. You may get some performance gains from this.

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

 

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

Examining the Windows System and Application Event Logs will also reveal much information about what is occuring during a boot. Are there any errors which consistently appear afterward? Perhaps about services or minifilters that are attempting to load, but fail? Is SEP dependent on those?  

Windows' User Environmnet log (C:\WINDOWS\Debug\UserMode\userenv.log) is an excellent source of information about slow boot-ups, group policy application and profile loading

Where enabling Userenv logging is necessary to see exactly what is happening with group policy and profile loading.... One thing to remember is that if the logging is not enabled then do not try and interpret the log since very minimal logging is enabled by default!" (http://www.ditii.com/2008/11/12/how-to-read-a-userenv-log-in-vista-or-windows-server-2008-part-1/ ) Debug info for non-Vista: 221833 How to enable user environment debug logging in retail builds of Windows http://support.microsoft.com/kb/221833

Understanding How to Read a Userenv Log – Part 1 http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Understanding How to Read a Userenv Log – Part 2 http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
Interpreting Userenv log files http://technet.microsoft.com/en-us/library/cc786775(WS.10).aspx
 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Stylax's picture

SMLatCST -

 

- I really thought you were onto something here as this sounds exactly as if what is going on.

So I checked this out..and sadly I have to report both 'Allow startup scan to run when users log on' and

'Run an active scan when new definitions arrive' are both unchecked, I remember unchecking the latter a week or so back to see if this made a difference.

 

I have however now selected 'Show scan progress' in the hope that this may show up something.

 

It defintely feels like some kind of scan going on.

 

And If I uninstall SEP 12.1.2 then the issues goes away, so definetely SEP issue, seems as if it is ignoring the setting for logon scan in the policy, unless there is a similar setting elsewhere ?

 

 

SMLatCST's picture

Yeah, those are the usual suspects.  Were these machines upgraded at all?  It possilbe there are legacy scans still in place?

http://www.symantec.com/docs/TECH171212

I know it's a bit of pain, but at least this might give you some indication.

Also, as a further option, you might want to try disabling the "Rescan cache when new definitions load" option under the Virus and Spyware Protection Policy -> Auto-Protect -> Advanced -> File Cache area.  This only usually  affects reeeeeaaally old machines and VMs, but it's worth a try.

Sachin Sawant's picture

please check scanning policy, active scan on user login check box is disabled or not.

SameerU's picture

Hi

1. Disable startup scan and active scan when new definitions arrive, go to



Virus and Spyware Protection policy-->Administrator-Defined

Scans-->Advanced.



2.Disable network files scan,go to Virus and Spyware Protection

policy-->Auto-Protect-->Scan details-->Network settings



3) Disable file cache or disable rescan cache when new definitions load,

go to Virus and Spyware Protection policy-->Auto-Protect-->Advanced-->file



cache



Please do let me know the status of the issue after updating the above

changes.

 

Regards

SameerU's picture

Hi

Can you please update on the solution provided

Regards

 

.Brian's picture

@Stylax,

Are you still experiencing this?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.