Endpoint Protection

Version:  Symantec Endpoint Protection - 12.1.4013.4013

Whenever a new definition arrives, this is the trail I usually see in the Windows Event viewer:

New virus definition file loaded. Version: 140213002
Scan started on selected drives and folders and all extensions.
Scan Complete:  Risks: 0   Scanned: 763   Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 703

The scan takes about 8 minutes.  During this time (and for up to 30 minutes after!) the computer is very slow... sometimes the mouse freezes for up to 5 seconds, etc.  On other people's computers, the same scan takes a few seconds and scans the same number of files, and they don't even notice it.

Often, this additional log is included in the event viewer:

Reputation check timed out during unproven file evaluation, likely due to network delays.

Our network firewall does not record any traffic from my computer during that time!

From other forum discussions, I see that the "Download Insight" feature needs access to https://ent-shasta-rrs.symantec.com/mrclean When I use any browser, inside or outside of our network, and try to access that page, I get this:

400 Bad Request: cannot parse incoming googlebuf

So, some questions...

1. Can I turn on more detailed logging, to see how often the "reputation check" is running?
2. Is it possible that SEP is being frequently delayed when trying to do the "reputation check", but the delays are not long enough to time out, but are long enough to slow the entire process down?
3. What is causing the "400 Bad Request" error?  Is that normal?

Thanks!

Did you allow Insight out? You can see these on how to test:

How to verify that a Symantec Endpoint Protection 12.1 client is able to communicate with the Symantec Reputation server

VPDebugging would show scanning

How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0, 12.1, and 12.1 RU1

http://www.symantec.com/docs/TECH102939

Thanks. 

I reviewed that, and tried the test described and got the "400 error" I mentioned.  According to the article, that means it is fine.

It is interesting however, that our firewall logs other computers going to that address, but not mine.

Is it possible that my SEP has a bad configuration, and is not even trying to hit the reputation server?

is any proxy configured for some reason?

I see you added info about the "Vpdebug Logging" option.  Thanks!

I've now done that, so will have to see if it provides any more information...

Good point... I use Fiddler frequently for web development work.  It affects the proxy settings on the computer.

Ahh yes, same here ...SEP client will use the browser settings unless it was manually configured to use something else.

Your computer has download insight policy enabled? Is your machine in the same group?

Yes, and yes.  I do have Download Insight enabled, though I was planning to turn it off to see if that was really the issue.

Please turn that off and check , would be easier to narrow down the issue.

I'm currently running a full scan, with Fiddler turned on, no changes to the proxy settings and Vpdebug Logging set to ALL.  Hopefully this will show if the Insight is a part of the problem.

After that, I plan to use the settings in SEP to set the proxy correctly, not relying on the browser settings.

An active scan might be quicker

In reviewing the SEP "Virus and Spyware Protection Logs" more closely, I see daily, or multiple daily, entries for:

Defwatch QuickScan

However, in looking at this list of logs, I don't see any full scans. 

I do however, see a "Scheduled Scan" that started two weeks ago, shows it "completed" this morning, and has a status of "Scan Suspended".

Reviewing the Windows Event log, I see this pattern every day at the same time.

3:42 am - Scan resumed on all drives and all extensions
4:12 am - Reputation check timed out during unproven file evaluation, likely due to network delays.
4:12 am - Scan Suspended: Risks: 0   Scanned: 254184   Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 714

The number of "scanned" files varies each day, sometimes significantly.

As mentioned above, I'm running a full scan again now, with the logging adjusted.  It looks like I may need to wait 30 minutes to see if this pattern recurs during a manual scan.

The active scan is faster, but doesn't seem to have a problem...

It looks like our management system was set to trigger daily scans at 3:30, with randomized start times. It was also set to limit the scan to 2 hours.  That doesn't explain the time out, but does explain why the job gets suspended and resumed each day.  We've adjusted that now, removing the randomized start time in this group of computers, and allowing the scan to run for 3 hours.  Hopefully that will let it finish the scan in a shorter number of days.

My issue with the timeout after 30 minutes is still a concern... and hopefully running the full scan now will reveal more details.

Cool, keep us posted

As might be expected, the manual scan finished without any issues. It scanned 5 million files, and added about 1.8 million lines to the vpdebug.log file(s). (Presumably the mismatch is that compressed files only add one line to the output, but may contain many files?)

What would I see in the log to indicate that a "Download Insight" call has been made to the Symantec servers?  Don't see anything obvious...

While I'm not at a client to verify it should be something along the lines of having submitted for reputation

We've been continuing to have this problem on some computers.

Some of the discussion above was focused on our nightly scan that doesn't complete in the 3 hour window given it, so it suspends until the next day.  This is not the issue.

The issue is the arrival of new definition files.

When a new definition file arrives, the "Scan Log" in SEP shows "Scan Complete" and it takes about 1.5 minutes on my computer.

However, for the next 30 minutes or so, the entire computer is sluggish. Typing in any program may freeze up for 10 seconds, then be okay for 10 seconds, then freeze for another 5-10 seconds, etc.  During this time, the Task Manager shows very little activity.  However, "System" task appears to be accessing 'random' files all over the computer.

I've set my client to not use a proxy and tried turning off various feature (Insight, Download Insight, etc) but have not found a cure for this problem.  I had the full logging on for a while, but after collecting 3gb of logs and not finding anything interesting, I turned them off again. However, that was when looking for the issue with the nightly scans. I've turned the logging on again, and will review it after the next "slow down".

Any other ideas to explore?