Endpoint Protection Small Business Edition

Hi,

I'm running a Dell PowerEdge server as a terminal services server. The server is dual core 2.8Ghz with 3Gb RAM, running Windows 2003 SBS server. We use this for just 10 users (temps) to login to. Until this morning the server was running fine, with only 1.5Gb ram utilized, and an average CPU utilization of 41% (according to perfmon).

However, for some reason after luchtime today the CPU utilization jumped from 41% to 100%, which means every grinds to a halt for the users logged in. When looking in task manager the RTVScan.exe process is running between 60% - 80%. I've tried rebooting the server, but even after rebooting before any other users have logged in, just the administrator logged in to the main console, the CPU is 100% and RTVScan is 60%. To allow users to work, I've had to disable the Symantec Endpoint services, the moment I did this CPU utilization dropped back down to around 40% - I was going to totally uninstall but decided disabling the service would making it easier/quick to impliment a fix without having to reinstall! The Symantec GUI doesn't show that there are any scans running, and there aren't any scheduled, and I've looked through the registry, and couldn't see any administrator defined scans (I seem to remember scan settings being stored in the registry some where).

Can anyone suggest a reason why RTVScan.exe would suddenly jump to such a high CPU utilization?

SEP is v12.0.1001.95, server is Small Business Server 2003 SP2

Is the Manager or Client software installed on this system? If a client, then what features are installed on this system?
Check to see if Windows updates were running at the time of the high CPU utilization?

Hi,

Thanks for the reply.

System just has the client installed running as an unmanaged client. The client has all the features, Antivirus, Proactive Threat Protection & Network Threat Protection.

The system is fully up to date with all Windows updates via our WSUS server.

Ben

Ben,

PTP is not compatible with any version of Windows Server operating system, nor with any 64-bit Windows operating system. Turn off PTP and see if the issue goes away.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/df22fe58044db7d6ca257638004f64ee?OpenDocument

Here is a Best Practice Guide for running SEP on terminal servers. It is written for version SEP 11, but should apply for SEP 12 as well.

http://www.symantec.com/connect/sites/default/files/SEP%20on%20Terminal%20Servers.pdf

Best,
Thomas

Hi Thomas,

I've tried to remove the Proactive Threat Protection, via Add/Remove programs > modify installation, but when I click next to make the changes, the SEP install tells me it must have TruScan enabled if I want Antivirus & Spyware Protection.

How do I remove PTP, while leaving AV & NTP installed?

I just ran an unmanaged install on my 2003 server. The custom setup allowed me to uncheck the PTP without getting the feature selection error that you show.

Maybe try completely uninstalling then install the unmanaged client without PTP.

Hi,

I was finally able to uninstall SEP from the server, which was quite an effort! Initially it got in a state where it wasn't uninstalled but it wouldn't reinstall, just kept rolling back the actions at the end of each uninstall/reinstall! After using the Symantec cleanwipe utility & Windows Installer Cleanup Utility, then rebooting, I finally got it uninstalled. However it seemed to screw up TCP/IP, after the reboot the server had no IP address, not even 0.0.0.0 or APIPA, just blank, and it wouldn't pickup a DHCP address. I had to reset the TCP/IP stack using NETSH. It also left a load of changes in the registry which caused the 'Remote Access Connection Manager' and 'Remote Access Auto Connection Manager', I had to remove all the references to a rasman DLL etc.

After removing all of SEP, deleting left over program files, and registry entries, I rebooted again. I've tried running the SEP setup program again, and doing a custom installation, but it still says I have to have TruScan enable if I want Virus & Spyware Protection.

This is the latest setup downloaded from Fileconnect with our certificate serial number, Symantec Endpoint Protection Small Business Edition v12.0.1001.95.

I've uploaded a video showing the installation + error:

http://s155.photobucket.com/albums/s317/bjblackmore/?action=view&current=SymantecInstallError.flv

At this point it may be best to pull in the experts. I would open a case with Symantec Support ASAP.

https://mysupport.symantec.com/

http://www.symantec.com/business/support/contact_techsupp_static.jsp

Once support figures out the issue, please post your solution back here in the forums.

Thanks,
Thomas