Endpoint Protection

  • Private Community
 View Only

  • 1.  "File Cache" function cause performance problems on some servers

    Posted Feb 12, 2013 08:23 AM

    Hi,

    We have the following configuration for the "File Cache" function for our servers with SEP 12.1.2 installed:

     

    • Enable file cache [x]
    • Use the default file cache size [x]
    • Rescan cache when new definitions load [x]

     

    Now we see on some servers a performance impact when new definitions get loaded.

    • On one SQL Server the "Rescan" only takes ~4 Minutes - C:\ drive kind of busy but not too much really – I see this as a normal impact with the “Rescan” option enabled
    • On another SQL the "Rescan" takes up to 30 Minutes and scans 15.000 files - C:\ busy the whole scan time
    • Archiving server that stores millions of files the "Rescan" can take up to 60 Minutes - D:\ drive (where the archived PDFs are stored) is very busy with some performance impact to search query’s from the archiving solution

    My questions are now:

     

    • Should we disable the “Rescan cache when new definitions load” function on all servers?
    • If so, is that a security risk?
      • Let´s say a “bad file” is marked as clean inside of the cache
      • New definitions get loaded that “know” that the “bad file” should get detected
      • Will it get detected then?
    • How big is the “default cache size”? Can it be changed in SEP12.1? The documentation says “Applies only to legacy Clients” Do they mean SEP11?

     

     

    Thanks!



  • 2.  RE: "File Cache" function cause performance problems on some servers

    Posted Feb 12, 2013 08:35 AM

    it is really up to you. If there is a file in quarantine and you uncheck the option that it won't be scanned. There is a chance that new defs can remediate the threat. It's not always guaranteed though.



  • 3.  RE: "File Cache" function cause performance problems on some servers

    Posted Feb 12, 2013 08:53 AM

    According to the documentation:

    File System Auto-Protect uses a file cache so that it remembers the clean files
    from the last scan. The file cache persists across startups. If the client computer
    shuts down and restarts, File System Auto-Protect remembers the clean files and
    does not scan them.
    File System Auto-Protect rescans the files in the following situations:
    ■ The client computer downloads new definitions.
    ■ Auto-Protect detects that the files might have changed when Auto-Protect
    was not running.
    You can disable the file cache if you always want Auto-Protect to scan every file.
    If you disable the file cache, you might impact the performance of your client
    computers.
    You can also set the following parameters:
    ■ The file cache size
    The default cache size is 10,000 files per volume. You can change the cache
    size if you want File System Auto-Protect to rescan more or fewer files.
    ■ Whether or not Auto-Protect rescans the cache when new definitions load
    You might want to disable this parameter to improve File System Auto-Protect
    performance

    http://www.symantec.com/business/support/index?page=content&id=HOWTO27136

    The option is applying as well for 12.1.

     

    Additionaly in SEP 12.1 there is Shared Insight Cache which you may find interesting:

    https://www-secure.symantec.com/connect/blogs/shared-inside-cache-sep-121

    How Shared Insight Cache works

    http://www.symantec.com/docs/HOWTO55318

    Symantec Endpoint Protection Shared Insight Cache User Guide 12.1

    http://www.symantec.com/docs/DOC4334

    Shared Insight Cache - Best Practices and Sizing guide

    http://www.symantec.com/business/support/index?page=content&id=TECH174123

    Installation and Configuration of SEP Shared Insight Cache

    http://www.symantec.com/docs/TECH185897

     

    To your question:

    If so, is that a security risk?

    • Let´s say a “bad file” is marked as clean inside of the cache
    • New definitions get loaded that “know” that the “bad file” should get detected
    • Will it get detected then?

     

    Yes, this is the whole point of rescanning the cache again - to check it with the newest definition set that may include the signatures that weren't available with previous definitions - this may as well detect threats in files previously marked as clean anc cached.



  • 4.  RE: "File Cache" function cause performance problems on some servers

    Posted Feb 20, 2013 04:07 AM

    Thanks for your answer!

    Shared Insight Cache only works for scheduled scans and not for auto protect scans right? Will Shared Insight Cache work for the “Rescan cache when new definitions load” ?

    Is there a way that SEP “forgets” the cache when new definitions arrive and does not rescan it?



  • 5.  RE: "File Cache" function cause performance problems on some servers

    Posted Feb 20, 2013 04:21 AM

    It will rescan from the above link

     

    File System Auto-Protect rescans the files in the following situations:

    • The client computer downloads new definitions.

    For Share insight cache

     

    How Shared Insight Cache works

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55318#v49770729


  • 6.  RE: "File Cache" function cause performance problems on some servers

    Posted Feb 20, 2013 04:51 AM

    1. "Is there a way that SEP “forgets” the cache when new definitions arrive and does not rescan it?"

    ...well this is controlled exactly by the option you have already mentioned - "Rescan cache when new definitions arrive" - if you disabled it you will disabled basically the cache rescans.

     

    2. "Shared Insight Cache only works for scheduled scans and not for auto protect scans right? Will Shared Insight Cache work for the “Rescan cache when new definitions load” ?"

    As per documentation:

    NOTE: Shared Insight Cache is only available for the clients that perform scheduled scans and manual scans.

    Rescan cache when new definitions load - is a setting of Autoprotect on the other hand.