It is generally the On-Access Scanner that people have problems with, but it could be any of the components. There is a KB50981 article that walks you through using ProcMon.exe (from the SysInternals Suite) to determine what exactly is going on.
I have been in dozens of 100,000+ environments, and everytime I have to introduce people to this process. It really is basic diagnostics, but few people know the in's and out's of it. Usually, this should result in adding a process to your Low-Risk Processes policy, but sometimes that isn't enough.
My experience has been that people just want things to work (at any cost), and that rarely anyone cares about how to improve the heavy I/O caused by the application. Sorry, just venting a bit.