Hi there,

I'm having a problem on two WinXP Clients (32bit, SP3).

The problem is that everytime when new definitiona arrive the clients are nearly unusable because of a very high hdd activity. It takes abot 30 minutes!

In SEPM the option "scan at new definitions" is inactive.

I found out that the SYSTEM process causes the activities. In Properties of the process i can see that SRTSP.SYS causes the activities.

Can anybody help me to stop this hdd activities?!

Thanks

LeChuck

hi,

Can you clear you question in english ?

I changed it to english.

hi,

hope this artical will help you.

How to turn off Active Scan when new definitions arrive

is the policy been applied on client?

have you set any location settings?

Which SEP Version?

Hi,

Active Scan when new defs arrive is inactive- as i wrote.

No, there should be no local settings. They are all blocked.

The Version is 12.1.3

Do you see any files in quarantine? if yes then delete those

How to manually delete the files located in the quarantine folder of an unmanaged Endpoint Protection client

http://www.symantec.com/business/support/index?page=content&id=TECH106046

No, there are no file in quarantine. The clients are managed by SEPM.

Do  you have any other Symantec product installed. Say backup exec?

Have you tried disabling real time scan ( Autoprotect) just to narrow down the issue?

Do you mean Symantec products on the Clients?! No- no other installed.

On an other Server is BackupExec installed but it's a sererate one.

I havn't tried to disable real time yet. I could try it. But is it recommended??

Not recommended but just want to narrow down the issue. Diable it for few mintues and check the performance.

OK. I'll try it.

But just for understanding. It is not a permanent performance problem. I think it's only after new definitions arrive?!?

At the moment there is no unusual activity on this hdd.

New definitions will arrive tomorrow morning I think. Then we'll see what happens with disabled autoprotect.

Ok fine ,

We may not need to wait till tomorrow..you can clear out the defs are per this document

http://www.symantec.com/business/support/index?page=content&id=TECH103176

Enable this as well.

How to log all files and directories scanned during On-Demand / Scheduled Scan with Symantec Endpoint Protection 11.0

http://www.symantec.com/business/support/index?page=content&id=TECH103126

update the policy. that should force the client to get the definition from SEPM. 

Lets see if we have any sort of scan running at that particular time. Might be trying to access a shared drive.

http://www.symantec.com/business/support/index?page=content&id=TECH103176

this doesn't work for me. I have SEP 12.1.3.  The folder descriped under 4) doesn't exist on my PC...

My bad :) 12.1 is here

http://www.symantec.com/business/support/index?page=content&id=HOWTO59193

HI

Symantec Endpoint Protection runs an active scan every day at 12:30 P.M. Symantec Endpoint Protection also runs an active scan when new definitions arrive on the client computer. On unmanaged computers, Symantec Endpoint Protection also includes a default startup scan that is disabled.

Regards

Ajin

I cleaned all the definitions as in the article descriped. Now all the new definitions are back on the Client and until now (10 minutes ago) there is no unusual activity on the hdd.

The daily scan is deactivated. But I suggest it is a scan which runs at startup.

In ProcessExplorer I saw that the process SYSTEM had a Disk read activitiy of about 7GB of files!

Little bit of progress so far :) seems like clearing the definitions fixed the issue.

Monitor it for a day and please share us the results.

Here we go again. The next morning has come and the HDD was very active :-(

So it seems that the problem isn't solved.

While the activity I disabled autoprotect and the activity stoped! So it seems that the autoprotect is causing the trouble. So what to do? I can't disable it all the time.

Is it the disabled daily scan which is perhaps not really diabled?!? Or the Active scan when new defs arrive?

how did you upgrade the clients? is it fresh 12.1.3? or did you migrate?

call support and get this tool and run it on the affected clients.

http://www.symantec.com/business/support/index?page=content&id=TECH105319

or uninstall SEP completely from system, remove all Symantec registry keys HKLM/Software/symantec

install a fresh version of SEP 12.1.3

if this doesn't help then opening a ticket with support will help to solve the problem.

I migrated.

Now I made a complete uninstall and a fresh reinstall. I'll take a look what happens. I think tomorrow morning I know what happens...

Hi guys. I want to give you a short feedback about my problem.

I think the fresh reinstall solved the problem. Now two days has gone and I noticed no unusually activity.

Thanks for your help!

Best regards

LeChuck