Scan Engine recommendations
- Ensure all steps as per TECH89560 have been applied to your environment.
- If possible, set local logging level on SSE scanners to Verbose (if low space available on your Scan Engine scanners, set it to Info).
Please note you will need to monitor SSE hosts for disk space after this is enabled.
Please provide the following files to Symantec Technical Support:
- Note the date and time when the issue was observed, along with additional information which could help Symantec to better identify/locate the issue, such as filenames, paths etc
- Filer logs/syslogs from all filers
- "/etc/messages" from filer
- "/etc/logs/" folder from filer
- Provide the outputs of the following commands which should be run from the Filer's Command Line:
- "vscan options"
- "vscan scanners"
- "netstat -a"
- "sysstat -c1"
- "cifs top -s suspicious"
- Scan Engine logs from each scanner, make sure to include the .dat log file as well as the log Symantec Scan Engine log file.
- Scan Engine scanners' Windows Application and System event logs
- All Scan Engine ".xml" files from each scanner
If the Symantec Scan Engine service is either crashing or stopping
Configure DrWatson to generate full memory dumps:
Windows 2003 Server
- Click "start"
- Click "run"
- Enter "Drwtsn32"
- Make sure the "crash dump type" is set to "Full"
- The following check boxes should also be enabled:
- "Dump Symbol Table"
- "Dump All Thread Contexts"
- "Append to Existing Log File"
- "Create Crash Dump File"
- Note down the locations where the dump(s) will be stored
- Click OK
Windows 2000 Server
- Click "start"
- Click "run"
- Enter "Drwtsn32"
- Make sure the following check boxes are enabled:
- "Dump Symbol Table"
- "Dump All Thread Contexts"
- "Append to Existing Log File"
- "Create Crash Dump File"
- Note down the locations where the dump(s) will be stored
- Click OK
Install Userdump to collect memory dumps upon service termination
Alternatively, only if instructed by Symantec Technical Support, you can install and configure Microsoft's Userdump utility.
- Provide your OS details and software installed along with Scan Engine to the Support Engineer, in order to have a sanity check of the Userdump tool on your system.
- Download "User Mode Process Dumper Version 8.1" from: http://www.microsoft.com/downloads/details.aspx?FamilyID=e089ca41-6a87-40c8-bf69-28ac08570b7e&DisplayLang=en
- Run the Setup.exe program for your processor.
- By default, this Setup.exe program is included with the Userdump.exe tool in the C:\kktools\userdump8.0 folder.
- This Setup.exe program installs a kernel-mode driver, installs the Userdump.sys file, and creates the Process Dump icon in Control Panel.
- Unless you have a specific need, disable the "dump on process termination" feature when you run the Setup.exe program.
- In Control Panel, double-click "Process Dumper".
- On the "Process Monitoring" tab, click New, add the appropriate program name (symcscan.exe) to the Monitor list, and then click OK.
- When the program stops responding, a memory dump will be generated automatically.
- Collect the process dump for analysis.
For more information on User Mode Process Dumper, please refer to the following Microsoft KB article: http://support.microsoft.com/kb/241215
Important:
- Remember to disable or uninstall the Process Dumper after obtaining the relevant information for Support.
- Do not collect a memory dump unless a Debug build of Symantec Scan Engine is being used and instructions are provided by Symantec Enterprise Technical Support.
- Do not check the option "Dump on process termination" on userdump.exe unless instructed by Symantec Enterprise Technical Support.
Filer recommendations
If possible, enable Syslog logging on the Filer with all events (error to debug) and all facilities events sent to a Syslog server.
Performance analysis and troubleshooting on Scan Engine and Windows server
Performance Logs
The following steps will guide you to collect performance-related data from the Scan Engine server.
Notes:
- Collect performance logs only from the Symantec Scan Engine scanners mostly affected by the issue you need to troubleshoot/collect logs for.
- Generally, performance logs collection doesn't affect the system's performance. However, you should expect an increase in CPU and disk usage. It is very important that you run the performance log collection only while reproducing the issue you need to troubleshoot.
- Make sure your C: drive has enough free space (at least 2-3 GB) before applying the following steps.
Windows 2003 Server
- Enter Windows Computer Management, browse to "System Tools / Performance Logs and Alerts / Counter Logs", then click "Action" menu and "New Log Settings..." as illustrated below:


- Enter a name for the new perfmon log:

- Click "Add Objects...":

- Select "Use local computer counter objects" then select "TCPv4" from the objects list as in the illustration below:

Click Add then Close.
- Once TCPv4 has been added, click "Add Counters...":

- First, select the Object called Redirector, then select (keep the CTRL key pressed) the following:

Click Add
- Stay on the Add Counters window, then select the following:

Click Add then Close
- Set sampling to be every 10 seconds:

- Move to the "Log Files" tab, then make sure the log file is created as a CSV file:

- Move to the "Schedule" tab, then select the following:

- If the following dialog is shown, answer YES:

- When ready to reproduce the issue you're observing, start the counter by selecting it and clicking the "play" icon.
The Scan Engine icon will turn from red to green.

- After the issue has been reproduced, make sure to stop the collection by clicking the "stop" button:
Windows 2000 Server
- Enter Windows Computer Management, browse to "System Tools / Performance Logs and Alerts / Counter Logs", then click "Action" menu and "New Log Settings..." as illustrated below:

- Enter a name for the new perfmon log:

- Click "Add...":

- Select "Use local computer counter objects" then select "Network Interface" and counters as in the illustration below:

Then click Add and Close.
- Click "Add..." again:

- Select the following options:

When selecting counters, keep the CTRL key pressed and select the following item towards the end of the list:

Click Add then Close
- Click "Add..." again:

- Select the following options:

Click Add then Close.
- Set sampling to be every 10 seconds:

- Move to the "Log Files" tab, then make sure the log file is created as a CSV file:

- Move to the "Schedule" tab, then select the following:

- If the following dialog is shown, answer YES:

- When ready to reproduce the issue you're observing, start the counter by selecting it and clicking the "play" icon.
The Scan Engine icon will turn from red to green.

- After the issue has been reproduced, make sure to stop the collection by clicking the "stop" button:

Process Monitor
Note: Process Monitor data collection can generate very large files in some environments.
Please run this tool only if instructed to do so by Symantec Enterprise Technical Support.
- Download Procmon from http://download.sysinternals.com/Files/ProcessMonitor.zip
- Extract and run the tool on the all the Scan Engine scanners
- Stop the log by clicking on the following icon:

- Clear the existing log by clicking on the following icon:

- Setup logging filter for the "symcscan.exe" process only, by clicking on "Filter" menu and "Filter...", as shown in the steps below:



- When ready to start the capture (either before reproducing the problem or when problem is due to occur), click the following icon to start capture:

- At the end of collection, save the log file by selecting the options below:

What other logs to gather should the problem occur again
Should the problem occur again, please provide the following files to Symantec Technical Support:
- Outputs of the following commands which should be run from the Filer's Command Line:
- "vscan options"
- "vscan scanners"
- "netstat -a"
- "sysstat -c1"
- "cifs top -s suspicious"
- Output of a "netstat -an" command run on the Scan Engine server. Use the command "netstat -an > connections.txt", and send support the connections.txt file.
Note: this output should be generated when the issue is observed
- If the Scan Engine service is crashing, provide full memory dumps obtained through DrWatson
- If the Scan Engine service is not crashing, provide a process dump of the "symcscan.exe" process obtained through User Mode Process Dumper while the problem is occurring.
- Performance logs from each Scan Engine scanner
- Process Monitor log from each Scan Engine scanner
- Windows Application and System event logs from each Scan Engine scanner.
- If possible, provide a Symbatchdiag file from each Scan Engine scanners (for more information: http://service1.symantec.com/support/ent-security.nsf/docid/2008053007034848)