ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Performance issues when running scans on the Linux client

book

Article ID: 162599

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Performance issues occur when running scans using Symantec Endpoint Protection (SEP) for Linux.  The rtvscand process may consume above-average resources.

Cause

By default, SEP for Linux is configured to scan for the highest level of security, not the best performance. Auto-Protect may also consume additional resources when scanning compressed files, especially large archive formats (it can only scan 3 archive levels maximum).

Resolution

To increase scan performance:

  • Disable scanning of compressed files and/or exclude directories that contain large archival file formats.
  • Disable/exclude the scanning of remote shared network file systems - these systems should be scanned by the host and not by remote clients.

Disable scanning of compressed files and remote file systems

To disable Auto-Protect scanning of compressed or remote files:

  1. In Symantec Endpoint Protection Manager (SEPM), click Policies > Virus and Spyware Protection.
  2. Select your antivirus (AV) policy, expand Linux Settings, and then under Protection Technology, select Auto-Protect.
  3. On the Scan Details tab, click on Advanced Scanning and Monitoring, and uncheck Scan files inside compressed files (if checked)
  4. Uncheck Scan files on remote computers.
  5. Click OK to save the policy and assign it to the client group.

Note: If scanning of compressed files is required by your company's security policy, either perform the scan manually or set a scheduled scan during off-peak hours.

See also Disable Auto-Protect scanning of compressed files from the command line

Exclude system directories

Exclude the following directories to increase scan performance:

  • /proc
  • /sys
  • /dev

Note: SEP for Linux will try to scan these directories. At best, your system log will be clogged with "failed to open file" messages and slow performance. At worst, SEP may crash. See Endpoint Protection for Linux crashes during scan of system directories.

You can also exclude other large archival formats, such as mail stores and databases. For example, scans may occur on a database file every time it is read (reads can occur hundreds of times per second). This adds significant overhead and affects performance for both the application and the system.

Exclude any folder where a remote (shared) file system is mounted. Network shares should be scanned by their host, not by clients accessing them.

Creating exceptions policies in Endpoint Protection Manager
Configure scan exceptions in Endpoint Protection for Linux from the command line