Endpoint Protection

 View Only

  • 1.  SEP11 RU5 - ~1000 Registry Reads/second, Outlook unable to access email, clients regually unable to see domain controlers

    Posted Mar 05, 2010 01:37 PM
    hi,

    We currently have a situation where Symantec Endpoint Protection 11 RU 5 seems to be making our client computers unusable.

    Unfortunately, our SEP licences are brought though our Local Education Authority (we are a school) so we can’t talk to Symantec directly and the people that deal with SEP problems at the LEA have been off ill for a week, so I was wondering if anyone has come across anything like the symptoms we are experiencing.

    I've spent several hours looking though the forums to see if there is anything related, but I’ve not found anything that looks like its directly related to our symptoms - however if I have missed it I'm sorry.

    We are experiencing the following problems
    1. Things started going wrong shortly after Christmas when our most important server started hanging (mouse would move but no keyboard shortcuts or clicks would do anything) exactly half a hour after an entry in the Event Log to say that LiveUpdate had finished running. The server was running Windows Server 2003 Standard Edition.
    2. We have seen for several weeks that it can take up to 1 hour to login and about 40 minutes to open Microsoft Word. This has been continuous on all our clients, regardless of the specification of the client. Looking in process monitor from Sysinternals we are seeing the SEP processes reading several registry keys at 1000 times per second! (yes 1 thousand times per second). If we disable SEP on the clients the computers speed up immensely.
      The clients are running Microsoft Windows XP Professional Service Pack 3 and Office 2007.
      We are also seeing problems on our test computers with Windows 7 + Office 2007 and Windows 7 + Office 2010 Beta. (both 32 and 64bit installs for Windows 7).
    3. Outlook is unable to download emails from our exchange server most of the time, disabling SEP allows our emails to download to the client.
    4. Large numbers of our clients are unable to login after they start up as they are unable to see our domain controllers. Rebooting fixes this some times.
    Removing SEP from the computers causes all of these problems to go away.

    Settings in the SEPM are either at the default or less frequent and we have locked all options for our users.

    Also, we have two campuses and use multiple Symantec products. So we have two SEPM servers and aditionally we have two LiveUpdate Administrator servers. Only one of the LUA servers talks to the internet, the rest download from our internal servers.


    Many thanks in advance.


  • 2.  RE: SEP11 RU5 - ~1000 Registry Reads/second, Outlook unable to access email, clients regually unable to see domain controlers
    Best Answer

    Posted Mar 05, 2010 01:42 PM
     Some of these issues look to be pre MR5 issues..Make sure all SEP Clients are at 11.0.5 

    you can check this doc

    Symantec Endpoint Protection Client configuration changes for performance optimization

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007102311173048


  • 3.  RE: SEP11 RU5 - ~1000 Registry Reads/second, Outlook unable to access email, clients regually unable to see domain controlers

    Posted Mar 05, 2010 02:07 PM
    I can confirm that all clients are at 11.0.5 as we reinstalled all SEP clients over christmas.

    I've set the heartbeat to every 10 minutes
    I belive network drive scanning is off, however I will need to dubble check that.
    The clients are set to only scan once a month.

    I'm not seeing anything in the event log regarding tamper protection, I can try turning this off on a few computers on Monday.
    E-mail antivirus scanning is on, again I can try this on Monday.


  • 4.  RE: SEP11 RU5 - ~1000 Registry Reads/second, Outlook unable to access email, clients regually unable to see domain controlers

    Posted Mar 06, 2010 09:06 AM
    Do you have any other applications running heavy scanning at boot? Like a inventory application?

    Try disabling "run active scan when new definitions arrive"

    When the machine boots, SEP gets new definitons and starts an active scan. If you at the same time have a another application running for example an inventory scan they will fight for I/O resources and the machine will become useless.


    RTB


  • 5.  RE: SEP11 RU5 - ~1000 Registry Reads/second, Outlook unable to access email, clients regually unable to see domain controlers

    Posted Mar 08, 2010 03:51 AM

    Turning off tamper protection seems to be the fix. (Sample size of computers checked: 1)

    Off topic - I've spoted coh64.exe attempting to create the following files:

    C:\Program Files (x86)\Common Files\Symantec Shared\COH\"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe"
    C:\Program Files (x86)\Common Files\Symantec Shared\COH\"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE"
    C:\Program Files (x86)\Common Files\Symantec Shared\COH\"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe"

    which are, of course, invalid. Is this a known bug or is there something wrong in our system?

    thanks

    Peter



  • 6.  RE: SEP11 RU5 - ~1000 Registry Reads/second, Outlook unable to access email, clients regually unable to see domain controlers

    Posted Mar 08, 2010 04:20 AM
    COH stands for Confidance Online Heuristics.

    It is used for proactive threat protection. If the issue continues to exist despite of disabeling the tamper protection, you can deploy a package with AV/AS and NTP on a few machines and see the difference in the perfornance.

    Also, try to make exception for the PTP engine from the centralized exceptions policy.

    Thaty way you can come to know if PTP has detected any processes and was trying to stop them.

    Aniket


  • 7.  RE: SEP11 RU5 - ~1000 Registry Reads/second, Outlook unable to access email, clients regually unable to see domain controlers

    Posted Mar 08, 2010 08:56 AM

    IF you have SEP's NTP installed on the DCs, can you do a test for me?
    On a computer that's on the same subnet as the client computers that have problems seeing the DCs, open a comand prompt and run

    ping -t dcipaddress

    and let it run.
    See if there are gaps in the pings..........

    I have discovered that SEP will see itself as being attacked at times, and literally block all pings to and from everything for roughly 20 seconds or so. This is only with NTP installed. (other options settings like DOS, etc do not matter, this happens if NTP is installed and enabled under certain conditions)
    If a workstation cannot ping a DC, it will not use it, and other side-effects such as scripts not running, policies not being applied and so on can result.
    It's rare, so I don't expect it, but if it's happening, you will see gaps of about 5 or 6 ping "drops" while you run a ping -t to the DC and let it run all day.

    Make sure ALL of your network drivers are current, and SEP is fully current (RU5) on ALL machines, servers, DCs, clients, etc.

    Are there any "unusual" software packages installed on anything? Do the DCs do anything other than function as domain controllers?