1 2 3 Previous Next 28 Replies Latest reply on Apr 1, 2010 7:42 AM by scoutt

    8.7i + Antivirus + Spyware Causes Server Slow down

    scoutt

      We have a server:

       

      Windows 2003 Server Standard

      CPU - 2.3gig

      Memory - 3.5gig / 4gig

       

      It was running on 8.0i patch 10 with no troubles at all. Once we add 8.7i it cuases the software on the machine to slow to a crawl. The main program is calle dUnicare - Pro-filer. The server itself to me is fast, no issues. Watching resource monitor I see the CPU go to 80-90% about every 2-3 minutes. The main one to ramp it up is call srvchost.exe , not even a McAfee file. We have excluded all of C: to debug what is causing it. It still is at a crawl.

       

      What is the biggest difference between 8.0 and 8.7 tha twoudl cause thing to slow down? The program allows users to use a "terminal session" like a cisco login that they run stuff in this program. Apart from that I cannot tell you how they run it.

       

      Could it be the order of install? Like installing 8.7i after the main program installation could cause a dll mishap where McAfee and Pro-Filer fight over it?

       

      All log file son McAfee are empty so it is not blocking anything. We have most everything set in policy and 95% defualt what comes from EPO. But all logs are still empty, so it doesn't seem like McAfee is causing it at all.

       

      Is there anythign we can look at to see if McAfee is the problem? Again 8.0i patch 10 was perfectly fine, no slow down.

        • 1. Re: 8.7i + Antivirus + Spyware Causes Server Slow down

          You might want to try turning off McAfee's Access Protection features.  If that helps, you curn turn them back on one at a time to figure out where the problems is.

           

          Jay

          • 2. Re: 8.7i + Antivirus + Spyware Causes Server Slow down
            scoutt

            well can that be done through ePO ? Cause all the server including this one are locked down.

            • 3. Re: 8.7i + Antivirus + Spyware Causes Server Slow down
              scoutt

              also if we are excluding all of C: what exactly is McAfee doing?  if that doesn't make a difference?

              • 4. Re: 8.7i + Antivirus + Spyware Causes Server Slow down
                rmetzger

                scoutt wrote:

                 

                well can that be done through ePO ? Cause all the server including this one are locked down.

                 

                also if we are excluding all of C: what exactly is McAfee doing?  if that doesn't make a difference?

                Well, yes, though I do not have ePO in front of me, so I cannot tell you the exact details of the screens, etc.

                VSE v8.7i includes far more than just file scanning as each process in memory is also checked, Buffer Overflow checking, a mini-firewall, a script checker, and more. As the malware writers get more advanced, so must the AV software. As such tuning gets more complicated.

                 

                Is this application you are running based on Java or ActiveX?

                 

                You might want to check:

                 

                1) ScriptScan - Turn it off, or if you have Patch 2 or 3 loaded, look into White Listing your application. See the documentation for details. This would be done at the client side as well. I don't believe v8.0 had ScriptScan in it, or that it did much. Version 8.7i does have significant use of this and can impact performance of hosted applications, such as MS CRM.

                 

                2) Disable unneeded add-ons like the Outlook addin on the server.

                 

                3) Check the servers in the On Access Scanning, Scan inside  of Archives. Turning this off may help isolate where the performance  lag is happening. This may be redundant on the server, though check with  your security specialists for more info.

                 

                4) Several registry entries to be added:

                 

                REGEDIT4

                 

                    [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\Configuration]

                ;;  see https://kc.mcafee.com/corporate/index?page=content&id=kb60651

                    "ScanProcessesOnEnable"=dword:00000000
                ;;  "ScanProcessesOnEnable"=-

                ;;  see https://kc.mcafee.com/corporate/index?page=content&id=KB60651&pmv=print

                    "ScanMemoryOfNewProcesses"=dword:00000000
                ;;  "ScanMemoryOfNewProcesses"=-

                 

                 

                Since excluding C:\*.* has not helped with performance, I would suggest re-enabling (not excluding) C:\*.*, but rather check with the software developers and see what 'they' say you should exclude. Right now, you are Exposed.

                 

                MS KB822158 http://support.microsoft.com/kb/822158 "Virus scanning recommendations for computers that are  running currently supported versions of Windows" is a good starting point for setting exclusions.

                 

                Hope this is helpful.

                Ron Metzger

                • 5. Re: 8.7i + Antivirus + Spyware Causes Server Slow down
                  scoutt

                  Thanks for the tips and things to try. I will let you know how things go Monday. Right now we have to back rev to 8.0 for the weekend so people can get there job done.

                   

                  To answer some of your questions, it is not java or activex, I believe that it runs c++ but I cannot be certain.

                   

                  1) We have ScriptScan turned off by default, so it is not that.

                   

                  2) Where is this addin?

                   

                  3) We have this disabled or not turned on as well, but if we exclude the whole C Drive then this is a mute point right?

                   

                  4) I will try this on Monday. I did find this setting and it was on, so I will try that.

                   

                  We do have a folder we exclude for this product but thinkthat we may have missed one we excluded the whole C Drive, I have since re-enaled that and only excluded the one folder we know of.

                  • 6. Re: 8.7i + Antivirus + Spyware Causes Server Slow down
                    rmetzger

                    scoutt wrote:

                     

                    Thanks for the tips and things to try. I will let you know how things go Monday. Right now we have to back rev to 8.0 for the weekend so people can get there job done.

                    Sounds reasonable.

                     

                    scoutt wrote:

                     

                    To answer some of your questions, it is not java or activex, I believe that it runs c++ but I cannot be certain.

                     

                    from their site (assuming I tracked down the right product).

                    Technology


                    UNI/CARE offers a comprehensive set of applications that use cutting  edge/server technology. Pro-Filer is a 32-bit fast executing application  using an N-tier design to ensure almost limitless scalability, no  matter how complex the infrastructure. In addition, Pro-Filer utilizes  the WINDOWS platform, a flexible, responsive system, capable of  accommodating fast growth and changing organizational requirements.

                    • N-tier hardware architecture for scalability
                    • Minimum desktop requirement(s) using a thin client
                    • Open architecture for Intranet/Internet
                    • Multi-server support for all tiers
                    • Fast reliable TCP/IP network support
                    • LAN, WAN and SAN support
                    • ASP Hosting (On Demand Application Hosting  Services)

                    Also, listed is the fact that this is .Net based, so,  could be C++, Cobol, ActiveX, or even Java based (or a combination of each). Since it is using a  Thin Client/Server architecture my guess is that this is using a Thick  server where the heavy load is placed on the server. So performance  tuning here is essential.

                     

                    scoutt wrote:

                     

                    1) We have ScriptScan turned off by default, so it is not that.

                    That would have been my first guess, but ... Is ScriptScan Off on both the servers and the clients?

                     

                    Another thought: Are the client PCs running with VSE scanning the Network (On Access Scanner > On Network Drives). This could create serious work at the server and stress the network infrastructure as well.

                     

                    Also, what file types are scanned on the server: Default or All. If it is All, then every file type gets scanned for every form of infection. An example: Say you have a .XLS file. With 'All' each .xls file is going to get scanned not just for threats to Excel spreadsheets (macros etc.), but also for PE infections as well. This may be a little too tight a configuration for a heavily loaded server.

                    scoutt wrote:


                    2) Where is this addin?


                    I am referring to the server, Outlook > Tools > Addins, check for McAfee or Anti-Virus... and delete or disable.

                     

                    Better still, during the install of VSE 8.7i on the server, do a custom install and do Not install this option on the server. This assumes that the server/application is not using Outlook as an SMTP engine for sending out automated email.

                     

                    Likewise, you may want to consider not installing ScriptScan during the custom install, as well.

                     

                    scoutt wrote:


                    3) We have this disabled or not turned on as well, but if we exclude the whole C Drive then this is a mute point right

                    We do have a folder we exclude for this product but thinkthat we may
                    have missed one we excluded the whole C Drive, I have since re-enaled
                    that and only excluded the one folder we know of.

                    Moot, yes, but good that you have turned C:\ scanning back on. Is this the only drive on the system, or is there a D:, E:, etc. Check these as well.

                     

                    Also, check whether you are scanning inside Archives (on the server). Some applications store scripts in archive form and every time they run, the archive would need to be extracted before the script is run. A real big performance drain on some applications.

                     

                    scoutt wrote:


                    4) I will try this on Monday. I did find this setting and it was on, so I will try that

                    You might want to consider using a couple of SysInternals tools (now Microsoft) such as Process Explorer and Process Monitor to see just what srvchost.exe is doing.

                     

                    Every 2-3 minutes (CPU going high) strikes me as a problem with the ScanProcessesOnEnable registry change I mentioned earlier. If you have installed Patch 2 or 3 over an existing copy of VSE, the other, newer and more comprehensive method, is already doing this job, so it is recommended that this setting be turned off, unless performance is not an issue and security is paramount. (Patch 2 and 3 release notes mention this.)

                     

                    I am eager to hear your results.


                    Thanks,

                    Ron Metzger

                     

                     

                    Message was edited by: rmetzger (spelling error) on 3/11/10 2:37:17 PM GMT-05:00
                    • 7. Re: 8.7i + Antivirus + Spyware Causes Server Slow down

                      Hi guys, I'd like to move this thread into a specific product area so other community members might see it and offer advice. I can't tell if this should go under VirusScan or ePO... let me know and I will move it accordingly.

                      • 8. Re: 8.7i + Antivirus + Spyware Causes Server Slow down
                        rmetzger

                        Hi April,

                         

                        Seems that his temporary solution is about VirusScan Enterprise (back to v8.0). My guess is that is where this should be directed.

                         

                        Thanks,

                        Ron Metzger

                        ajacobs wrote:

                         

                        Hi guys, I'd like to move this thread into a specific product area so other community members might see it and offer advice. I can't tell if this should go under VirusScan or ePO... let me know and I will move it accordingly.

                        • 9. Re: 8.7i + Antivirus + Spyware Causes Server Slow down
                          scoutt

                          Also, listed is the fact that this is .Net based, so,  could be C++, Cobol, ActiveX, or even Java based (or a combination of each). Since it is using a  Thin Client/Server architecture my guess is that this is using a Thick  server where the heavy load is placed on the server. So performance  tuning here is essential.

                          Yes, that is the same Program.

                           

                          That would have been my first guess, but ... Is ScriptScan Off on both the servers and the clients?

                           

                          It is off on the servers but not the clients. I will have to see about turning it off on the clients or client as well

                           

                          Another thought: Are the client PCs running with VSE scanning the Network (On Access Scanner > On Network Drives). This could create serious work at the server and stress the network infrastructure as well.

                           

                          The client nor the servers scan network or other drives.

                           

                          Also, what file types are scanned on the server: Default or All. If it is All, then every file type gets scanned for every form of infection. An example: Say you have a .XLS file. With 'All' each .xls file is going to get scanned not just for threats to Excel spreadsheets (macros etc.), but also for PE infections as well. This may be a little too tight a configuration for a heavily loaded server

                           

                          The setting is set to "all files", but when disabling the C: this setting shouldn't really make a difference.

                           

                          I am referring to the server, Outlook > Tools > Addins, check for McAfee or Anti-Virus... and delete or disable.

                           

                          Better still, during the install of VSE 8.7i on the server, do a custom install and do Not install this option on the server. This assumes that the server/application is not using Outlook as an SMTP engine for sending out automated email.

                           

                          Likewise, you may want to consider not installing ScriptScan during the custom install, as well.

                           

                          I have did a new install with "custom" as the choice. I did not install Lotus notes and Outlook scan modules. ScriptScan is turned off on the server.

                           


                          Moot, yes, but good that you have turned C:\ scanning back on. Is this the only drive on the system, or is there a D:, E:, etc. Check these as well.

                           

                          Also, check whether you are scanning inside Archives (on the server). Some applications store scripts in archive form and every time they run, the archive would need to be extracted before the script is run. A real big performance drain on some applications.

                           

                          There is only a C and D drive, it is not scanning D: At this piint in time the default is not to scan "inside" files and it does not decode mime types.

                           

                          By default on servers, scanning is set to:

                          Scan files:(checked)


                          File types to scan: (checked)

                          Heuristics:(checked)
                          (checked)
                          Compressed files:
                          Unwanted programs detection:(checked)

                           

                          You might want to consider using a couple of SysInternals tools (now Microsoft) such as Process Explorer and Process Monitor to see just what srvchost.exe is doing.

                           

                          Every 2-3 minutes (CPU going high) strikes me as a problem with the ScanProcessesOnEnable registry change I mentioned earlier. If you have installed Patch 2 or 3 over an existing copy of VSE, the other, newer and more comprehensive method, is already doing this job, so it is recommended that this setting be turned off, unless performance is not an issue and security is paramount. (Patch 2 and 3 release notes mention this.)

                           

                          That is not a bad idea. I will turn that off.

                          1 2 3 Previous Next