Endpoint Protection

I've been having a recurring problem with my laptop that seems to point directly to SEP, or something interacting with SEP.  Every day inside the company firewall (with Windows Firewall turned off), after 2-3 hours of working normally, the processor becomes fairly active with what appears to be mostly SEP related processes - svchost, COH32, smc, smcgui, and rtvscan - all taking 2-10% or more of CPU.  Performance slows way down and the CPU stays in the 80-100% range until I manage to close any programs that are currently open.  Usually these are nothing more than Thunderbird, Firefox, Word or Excel, Textpad and Powerdesk file explorer.  Sometimes, Windows media player is streaming a 40K feed.  But even when everything is finally closed, the SEP-related programs continue to bounce the CPU between 10-30%.  When the computer is acting normally, the CPU usually bumps along around 1-5% even with several programs open (if none are actively engaged).  What's strange is that once it starts, this low level SEP activity never seems to go away.  Only a reboot will take care of it (and sometimes it even returns on startup!).

I check the SEP interface and the logs while these things are happening (and after I've rebooted) and I never find any indication that SEP was performing a scan or downloading an update.  Those are all happening at their regularly scheduled times or upon startup.  What's more, when this starts to happen, other programs start taking up more CPU than normal.  For example, Thunderbird will start requiring 30-40% of CPU just sitting there, or more if you engage it in some way.  This is far higher than its usage under normal conditions (I've been monitoring these things for weeks) or on other machines.

Other info:

1 - The system is set to do weekly scans overnight on Mondays, Startup Scans and Defwatch scans  This behavior occurs whether the weekly scan completed or not.

2 - this does not happen when outside of the company network.  However, no other machine in the system behaves this way.

3 - I've removed or diabled any program that I can find that might be trying to do live updates.

4 - The machine was rebuilt 6 weeks ago because we suspected either a virus or some sort of system file corruption but the problem hasn't gone away.  SEP has been reinstalled more than once since then.

5 - Its not uncommon to see an unknown process called "System" taking up resources too when this is happening, although it is not as common as the other processes.

6 - my laptop is a Dell M4400 running Windows XP sp3 with 3.5 gigs of RAM.

Any idea what is going on?  Is SEP the problem or is it just reacting to something else that has gone wrong with this system?

thanks for any help you can provide!

What version of SEP are you running?

but have you tried looking at doing a defrag or a S.M.A.R.T test on your disk?
I've noticed in the past that a disk that is dying can consume more resources.

Also, your company firewall - is it Symantec's NTP component or something different?

If different, I'm assuming you don't have NTP installed?

If you open the SEP gui and under "Antivirus and Antispyware" select Options > View File System Auto-protect statistics", are there any particular files that seem to be identified as being real-time scanned when this occurs?

Regards,

Chris Bulovic

of course, its SEP 11.06.6200.754.

Perhaps a process is running on that machine that is triggering a heuristic response (either AV-related or Proactive Threat Protection), or Tamper Protection. Though it's odd that this doesn't happen outside of network.

• Which SEP components are installed?
• Do the SEP client logs (AV Risk or Scan, for example) or Windows Event Viewer reveal anything?
• Is location awareness enabled (which might account for the different behaviours in different locations, if different policies apply to different locations)?

sandra

Sandra,

All SEP components are installed (Antivirus and Antispyware Protection, Proactive Threat Protection, and Network Threat Protection).

Location awareness is not installed.

We use both a hardware firewall controlled by the University and a soft firewall in SEP at our agency.

I've suspected that another process is triggering a response from SEP but I have yet to find it.  I initially suspected Windows Search was causing the problem (it had gotten reinstalled after the computer was rebuilt) so I uninstalled it.  Nothing changed.  I've also uninstalled a few programs that like to check for updates (like Realplayer).  Firefox, Mozilla, and Adobe Reader still automatically update no matter how hard I try to turn that off, but these programs are installed on other desktops and laptops that don't have this problem.

shawn

I haven't gotten any responses to my answers to people's questions...

Some more info:

1 - The activity almost always kicks in shortly after 12pm central time.

2 - If Firefox is open when this happens, it usually starts taking up 40% or more of the processor, whether its actually open to any page that is doing anything.

3 - Once Firefox is closed, the symantec related processes continue to take up 25-30% of the CPU for hours. So far I've never seen the behavior stop on its own.  Eventually I either reboot the machine (so I can get back to work) or I turn it off so I can go home.

Can anyone give me any insight into what is happening?  I can find no trace of a process starting that is causing Symantec to kick in.

The fact that it starts at a certain time makes me suspicious. What happens before 12? What happens after you reboot?

Have you had a net admin look at traffic on your network and to and from your machine?

Sorry, was sick for most of the weekend... Maybe you could launch Process Monitor shortly before 12 pm Central to see what exactly is occurring... Would be a lot of data to wade though but might bring you closer to a solution.

Does this particular machine have anything installed on it that others do not?

sandra

I've only been monitoring the Task Manager (before and after the behavior starts).  I never see anything in particular.  All that I have seen happen is Firefox suddenly go from a resting background type CPU level to 40-50% and several SEP-related processes kick in.  But its not always Firefox that shows this behavior (sometimes Thunderbird does it too), and regardless, after getting all known open programs closed (which can take several minutes), the SEP processes continue on, taking up 15-30% of the CPU and making everything I try to do really really slow.

I've also noticed no increase in network activity according to the Task Manager.

I haven't tried Process Monitor yet and my network admin hasn't offered to look at network traffic to my machine (that is what I suspect and I will ask him).  But this does only happen when I'm in the office Tues-Thurs, and not Mon or Friday when I work from home. I've also asked about any kind of regular, internal network communications and he said there aren't any that correspond with what is happening.  Backups and software updates from them occur either early evening or overnight.  I thought that Windows Automatic Update might be causing trouble (its set to check at 12 noon) so I changed it to 10 am and that didn't help either.

As to the question of rebooting.  That is what I always have to do to make it stop.  But, and this is the strangest part, it sometimes seems to take a second reboot to get the computer to behave normally.  That signals to me that it is some kind of scheduled event that wants to happen.  When I look at the logs of SEP, maybe only once or twice have I been able to correlate an action in the log, such as a defwatch scan or a database update, with the behavior, and even in those cases, the log indicated the action completed successfully, yet the CPU never returned to normal.  What kind of regular network activity does SEP engage in besides database updates?

here's another item to throw out there - when SEP is doing this, any kind of file extraction, such as unzipping an archive, or installing software, slows to near halt (about 4 times slower than when SEP is behaving properly - I did several tests on this machine and others to set a benchmark). whether that is just because the CPU is busy with something else or because SEP is hung up on something else, who knows?

Yesterday I uninstalled SEP and installed MS Security Essentials to see what would happen and so far, I have not had any of the problems I'd been having.  If my computer is trying to do something shortly after 12 noon, MSSE doesn't seem to mind, and my processor doesn't seem to register much disturbance.

Can SEP get hung up on audio streams?  One of the differences between working at home and in the office is that I usually stream a radio station at the office.  In most cases, I start that around 9 or 9:30 in the morning and it obviously doesn't cause a problem for the first few hours.  Is it possible that some sort of buffer or log fills up and that in turn hangs up SEP, or does SEP even scan streams?  Just like I've seen Firefox suddenly jump up in activity when the SEP processes kick in, I've also noticed the plugin-container.exe do the same thing.  Generally, it cruises along at under 10% of CPU, until the behavior starts and then it jumps into the 40-60% range.

the problem with this theory is that I've taken to streaming audio on a desktop in my office and it has not caused that problem there, and I've stopped streaming on my laptop and this behavior still occurred...

What version of Firefox are you running? Latest is 4.0.1. I have not seen this particular issue but I do know FF was susceptible to memory leaks in past version. I would recommend upgrading FF to see if it changes anything.