Video Screencast Help

SEP on heavily used Fileservers

Created: 10 Nov 2010 • Updated: 27 Sep 2011 | 6 comments
This issue has been solved. See solution.

Hi all,

we are currently switching all our Antivirus-software to SEP. Although we were told that it is possible to use SEP on fileservers with very high IO, it seems to be no good choice.

The SEP-clients Real-time Scan-Engine seems to choke down the server's performance A LOT.

So the question is:

Ist there a product better suited for this, or are there any settings I can switch to improve performance (disabling real-time-scanning is no option ;-)) ?

If another product is recommended, will it be manageable via the Endpoint Protection Manager?

 

Thanks in advance for your answers.

Best regards

Stephan

Comments 6 CommentsJump to latest comment

_Brian's picture

We have SEP installed on all our fileservers, however, we only use the Antivirus component. No PTP or NTP and everything works fine. Keep in mind this is only scanning the C: drive, not the shares.

To do that, you can use the SAV for NAS product for your filers/cifs. It is a separate product and not manageable from SEPM.

Kurt G.'s picture

For example, the default setting for Auto-Protect is set to scan all files accessed or modified. By changing this to only scan files that have been modified you should be able to alleviate some of the performance issue since files on the server would only be scanned by Auto-Protect if there were changes made to the file.

You would also want to ensure that Auto-Protect is not configured to scan files when they are being backed up.

I've linked some documents below that should provide some assistance with configuration changes to assist with performance while still keeping Auto-Protect enabled.

http://www.symantec.com/business/support/index?pag...

http://www.symantec.com/business/support/index?pag...

Kurt G.
Symantec Technical Specialist: Endpoint Security Advanced Team

Symantec Corporation www.symantec.com

Symantec Enterprise Support: (800) 342 0652 

SOLUTION
Mithun Sanghavi's picture

Hello,

Believe me , Kurt is correct.

Let me get things right, you want to improve performance as well as keep the scan Enabled...

We see that you are very much interested in having your scans more of Performance based and should use as much as less CPU usage.

Check these documents as below:

1) Enabling multithreaded scans

http://www.symantec.com/business/support/index?pag...

2) Symantec Endpoint Protection scan tuning options

http://www.symantec.com/business/support/index?pag...

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

zer0's picture

LOCK ALL SETTINGS!!!

Administrator defined scan

  • It is recommended that a monthly scan should be configured to occur in a maintenance window when the server is not under a heavy load
  • File type scanning can be limited to high risk extensions to increase scanning speed
  • Scan times should be randomized on virtual machines to avoid resource usage issues
  • Turn off retry interval to ensure missed scans do not run during business hours
  • Set first action to Quarantine for all detection types
  • Set second action to Delete for all detection types
  • Enable – Terminate processes automatically
  • Enable – Stop services automatically

File System Auto-Protect

  • Scan only selected extensions
  • Determine file types by examining file contents (turn off for even better performance)
  • Do not scan when a file is backed up
  • Disable Network scanning of remote computers
  • Do not check for boot record viruses
  • Set first action to Quarantine for all detection types
  • Set second action to Delete for all detection types
  • Lock all override actions so that end users can’t modify
  • Enable – Terminate processes automatically
  • Enable – Stop services automatically
  • Disable notifications to end users
  • Load auto protect when SEP starts
  • Do not scan floppies on computer shutdown
  • Enable Risk Tracer (disable for more performance)

Disable and Lock Internet Email Auto-Protect
Disable and Lock Microsoft Outlook Email Auto-Protect
Disable and Lock Lotus Notes Auto-Protect
Disable TruScan Proactive Threat Scans

Quarantine

  • Do Nothing when new definitions arrive
  • Delete oldest files to limit folder size to 500MB for all files
StephanK's picture

Thank you all for your answers,

 

I will have a look at the Documentation and keep your Settings as a "baseline", zer0.

I'll come back to this, should I encounter more problems :-)

postechgeek's picture

This also may help:

 

Symantec Endpoint Protection Client configuration changes for performance optimization

http://www.symantec.com/business/support/index?pag...

 

From the list of bookmarks that I normally use.