Symantec Endpoint Protection for Linux rtvscand deamon will move from kernel space to user space during a scan in order for name resolution of the user account of the file GID/UID (Group ID/User ID).
On systems with a high volume of data or activity, this behavior can cause performance issues, and in extreme cases may cause the system to become temporarily unresponsive.
There are no discernable errors, but if a system has a high volume of data and rtvscand must enumerate 150,000+ files during a single scan this will cause system performance to decrease significantly and may even cause the machine to become unresponsive. This will occur even if when scan exclusions are in place because the file is still enumerated when excluded.
Symantec Endpoint Protection for Linux does not have a kernel cache and will therefore perform a name resolution for each individual file it scans.