6 Replies Latest reply on Sep 10, 2010 2:01 PM by jguenrdc

    EPO hanging user PCs each day

      Hello,

       

      I have epo version 4.5 with epo agent 4.5.0.1429 McAfee Virus Scan enterprise 8.7.0.570. My issue is that many users report that their PCs start to hang at about 9.20 each morning for about 10 minutes. When i look at windows event viewer I cannot see any activity but the OnAccessScanLog always contains an entry like this

      one on affected PCs:

       

      9/9/2010 09:20:22  Engine version                          = 5400.1158
      9/9/2010 09:20:22  AntiVirus   DAT version                 = 6099.0
      9/9/2010 09:20:22  Number of detection signatures in EXTRA.DAT = None
      9/9/2010 09:20:22  Names of detection signatures in EXTRA.DAT  = None

       

      I thought that this was just a message that appears when the McAfee service starts however these users may have been logged in an hour or so before the PC hangs and the message appears in the logs. In this case the user tells me that he logged on at 8.00 that morning. I do not have any task I know of running on the PCs at this time. Can anyone tell me what else might be causing this slowdown on clients?

       

      Thank you,

        • 1. Re: EPO hanging user PCs each day

          It seems that altough the user logs into the PC at 8am the windows event logs show that the McShield service starts at 9.20

          McShield service started.
          Engine version : 5400.1158
          DAT version : 6098.0000

          Number of signatures in EXTRA.DAT : None
          Names of threats that EXTRA.DAT can detect : NoneMcShield service started.
          Engine version : 5400.1158
          DAT version : 6098.0000

          Number of signatures in EXTRA.DAT : None
          Names of threats that EXTRA.DAT can detect : None

           

          Can anyone tell me what (setting) might be responsible for the service starting at this time.

          • 2. Re: EPO hanging user PCs each day

            Probably the virus definition files (DATs) are being updated at 9:20.  Those log entries occur when VirusScan loads the new DATs.  Search the VirusScan forum for "Processes on Enable" to find some threads that should have suggestions for minimizing the interruption.  One would be to schedule your DAT updates when the user isn't using the computer.

             

            Jay

            1 of 1 people found this helpful
            • 3. Re: EPO hanging user PCs each day

              Hi jguenrdc, ill give that a try this week and see if it makes a difference. Thanks for the reply, i didnt know updates would be that disruptive.

              Thanks

              • 4. Re: EPO hanging user PCs each day

                In my experience, having a multi-threaded or multi-core processor makes a big difference in how noticeable the DAT update is while using the computer.

                 

                Jay

                • 5. Re: EPO hanging user PCs each day

                  Hello,

                  The PCs in question are usually older (pentium 4).

                  I set the task for update for DAT updates to run at 8.10. However this PC seems to update its DAT at 9.36 and it also seems to be scanning the PC too. I changed the task yesterday but this morning this PC seems to be updating at 9.36 this morning. I have run the 'wake up agent' from EPO so hopefully it will update that task. Can you tell me why is is scanning the below files?

                  Thanks

                   

                  9/10/2010 08:29:57  Engine version                          = 5400.1158
                  9/10/2010 08:29:57  AntiVirus   DAT version                 = 6099.0
                  9/10/2010 08:29:57  Number of detection signatures in EXTRA.DAT = None
                  9/10/2010 08:29:57  Names of detection signatures in EXTRA.DAT  = None

                  9/10/2010 09:36:57  Engine version                          = 5400.1158
                  9/10/2010 09:36:57  AntiVirus   DAT version                 = 6100.0
                  9/10/2010 09:36:57  Number of detection signatures in EXTRA.DAT = None
                  9/10/2010 09:36:57  Names of detection signatures in EXTRA.DAT  = None
                  9/10/2010 09:36:58 Not scanned  (scan timed out)  NT AUTHORITY\SYSTEM C:\WINNT\System32\svchost.exe C:\WINNT\Prefetch\SLPPM.EXE-1A06B13F.pf
                  9/10/2010 09:37:02 Not scanned  (scan timed out)  LCO\p.mcg C:\WINNT\Seiko\Slppm.exe C:\DOCUME~1\P~1.MCG\LOCALS~1\Temp\QUEUE0.SLP

                  • 6. Re: EPO hanging user PCs each day

                    VirusScan includes on-access scanning and on-demand scanning.  On-access means whenever a file is read/written (assuming default settings) during normal use of the computer, it is scanned.  On-demand is when you schedule a scan of files on the hard drive.  I have noticed that files that happen to be getting scanned by the on-access scanner when the DAT files are being updated will timeout sometimes.  It looks like a print driver/queue was being used when the DAT file was being updated.  Notice the time is within a few seconds of the 6100 DAT update.

                     

                    Regarding the second DAT update later in the morning, check the AutoUpdate task on the affected machines.  It is enabled by default and may be set to run in the morning with randomization.  Check this by going to an affected system, find the McAfee folder in the Start menu, and open the VirusScan console.  Look for the AutoUpdate item and check the Status column.  If it says "Not scheduled", it is already disabled.  If not, it will show you when it is scheduled to run (if randomization is set, it may run later than the time displayed).  You can disable the AutoUpdate task from ePO by going to the User Interface Policies for VSE and checking the "Disable default AutoUpdate task schedule" box on the Display Options tab under the Console options heading.  NOTE that this is a "one-way" operation (with VSE 8.7 / Agent 4.5; don't know if this will change in future versions) - if you ever want to enable it again, you would have to go to each system and turn it back on in the VirusScan Console.

                     

                    If the default AutoUpdate is already disabled, make sure there are no other update tasks.  I seem to remember some posts about old update tasks "leftover" when VSE, the Agent, and/or ePO were updated from one version to another.

                     

                    Another possibility is that depending on the settings for the User Interface policies, the user may be able to right-click the McAfee icon and update the DATs.  Or, they may go into the VirusScan console and run the AutoUpdate task manually.

                     

                    Jay

                     

                     

                    Message was edited by: jguenrdc for greater clarity on 9/10/10 2:01:58 PM CDT