We are in the process of deploying MOVE AV agentless 3.0 in our environment. I've noticed something and I would like to check if this is normal.
In all the sales talks about MOVE they are promoting the cache that contains hashes for all files that are scanned so that they don't need to be scanned a second time when it is offered again to the SVA.
In MOVE 3.0 it is also changed that after a reboot the cache still remembers the previous hashes.
And when we test it it works perfectly, except when we start a new day! Let me explain.
We are doing some stress tests on one VM that is protected by MOVE. It is the only VM on the ESXi-host that is protected by MOVE, the other are still protected with Virusscan Enterprise.
When do a series of file copies we see that the first copy goes a little slower than the rest. (At JAR-files the SVA goes to 100% CPU utilisation and becomes very slow)
Subsequent copies of the same files work without a hitch a blazing fast speeds.
Now when we come in to the office the next morning and start the first copy of the day the speed is again slower and we see on the SVA (using the top command) that the server is scanning the files. Subsequent copies are again blazing fast.
Is this normal? I would think that the cache remains persistent and that the first copy in the morning also would be very fast. Or does the SVA purge it's cache at night?
Any hints or tips to avoid this would be welcome.
I believe the caches are flushed everytime the SVA loads a new DAT.