search cancel

Performance issues when running scans on the Linux client

book

Article ID: 162599

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Performance issues occur when running scans using Symantec Endpoint Protection (SEP) for Linux.  The rtvscand process may consume above-average resources.

Cause

By default, SEP for Linux is configured to scan for the highest level of security, not the best performance. Auto-Protect may also consume additional resources when scanning compressed files, especially large archive formats (it can only scan 3 archive levels maximum).

Resolution

To increase scan performance:

  • Disable scanning of compressed files and/or exclude directories that contain large archival file formats.
  • Disable/exclude the scanning of remote shared network file systems - these systems should be scanned by the host and not by remote clients.

Disable scanning of compressed files and remote file systems

To disable Auto-Protect scanning of compressed or remote files:

  1. In Symantec Endpoint Protection Manager (SEPM), click Policies > Virus and Spyware Protection.
  2. Select your antivirus (AV) policy, expand Linux Settings, and then under Protection Technology, select Auto-Protect.
  3. On the Scan Details tab, click on Advanced Scanning and Monitoring, and uncheck Scan files inside compressed files (if checked)
    NOTE: for SEP for Linux version 14.3 RU1 or newer see instructions here: SEP Linux agent continues scanning compressed files despite disabled option in policy. Newest versions of SEPM do not even have this checkbox -- but compressed file scanning can be configured locally at the client.
  4. Uncheck Scan files on remote computers.
  5. Click OK to save the policy and assign it to the client group.

Note: If scanning of compressed files is required by your company's security policy, either perform the scan manually or set a scheduled scan during off-peak hours.

See also Disable Auto-Protect scanning of compressed files from the command line

Exclude system directories

Exclude the following directories to increase scan performance:

  • /proc
  • /sys
  • /dev

Note: SEP for Linux will try to scan these directories. At best, your system log will be clogged with "failed to open file" messages and slow performance. At worst, SEP may crash. See Endpoint Protection for Linux crashes during scan of system directories.

You can also exclude other large archival formats, such as mail stores and databases. For example, scans may occur on a database file every time it is read (reads can occur hundreds of times per second). This adds significant overhead and affects performance for both the application and the system.

Exclude any folder where a remote (shared) file system is mounted. Network shares should be scanned by their host, not by clients accessing them.

Note: From SEP Linux 14.3 RU1 MP1 client, AutoProtect driver by default excludes pseudo file system like /proc /dev /sys etc. Hence if the SEP Linux client is 14.3 RU1 MP1 or higher version, excluding below directories is not required.

  • /proc
  • /sys
  • /dev

Creating exceptions policies in Endpoint Protection Manager
Configure scan exceptions in Endpoint Protection for Linux from the command line