Endpoint Protection

 We have a 2008 Enterprise DC/File server hosting about 1TB of data.

We cannot have SEP installed on this server without network browsing being horrendously slow!

We have tried...

1) Uninstalling and reinstalling several times with reboots in between.  See this article:  http://windowsitpro.com/article/articleid/100210/troubleshooting-a-slow-running-windows-server-2008.html
Version 11.0.4202 MR4 MP2 didn't help

2) Disabling SMB2 as described here: http://www.petri.co.il/how-to-disable-smb-2-on-windows-vista-or-server-2008.htm

3) Disabling chimney offload via command line as described here: http://support.microsoft.com/kb/951037

C:\>netsh int tcp show global  Querying active state...   TCP Global Parameters  ----------------------------------------------  Receive-Side Scaling State          : enabled  Chimney Offload State               : disabled  Receive Window Auto-Tuning Level    : disabled  Add-On Congestion Control Provider  : ctcp  ECN Capability                      : disabled  RFC 1323 Timestamps                 : disabled

4) Disabling teaming of NICs
5) Disabling IPv4 large send offload on the NIC



We probably need to open a case with Symantec but can anyone here help?

are u trying to install all the componentsof SEP?
like Antivirus /antispyware
ptp
ntp?
try just installing av/AS and check the load

As Rafeeq told.NTP shold be the issue.Anyway have a look in below doc also

Symantec Endpoint Protection Client configuration changes for performance optimization

 Sorry...we only install the antivirus/antispyware component.

The server also shows very little load when the issue occurs.

Whether you tried my suggestions? 

Not yet...will try these things tonight:

Communication settings
Disable tamper protection

(Network drive scanning is off and scheduled scan was already running at a non-intrusive time)

 Tried those settings but it was slow again for the users this morning.  Have uninstalled it again for now to allow the users to work.

Any other suggestions?

Have a look in below article and assure that all necessary exclusions re done.(By default SEP will exclude for dc anyway just confirm.
Virus scanning recommendations for computers that are running currently supported versions of Windows 

For confirming the exclusions refer below article
How to Verify if an Endpoint Client has Automatically Excluded an Application or Directory
-------------------------------------------------------------------------------------------------------------------
Only install AV/AS ,remove any mail scanning component of AV/AS also.

 Will check the exclusions at the next install (didn't do it last night)

How can I verify that I'm not installing any mail scanning component?  I have just been exporting the package from Admin -> Install Packages.  Should I use the deployment wizard instead?

Out of curriosity having dealt with an A/V compatibility problem a few years back that sounds extreemely similar to yours:

How many files are in your 1 TB of files?
How many users connect at a given time?
By chance do you have non-Windows clients connecting (like Macs/Linux)?

A few years back, I was having trouble with any A/V (I tried several products) running on one of my file servers.  Using process monitoring tools, I was able to track down that systems were not "letting go" of files when they were done with them.  Somehow A/V, regardless of the vendor, caused the problem to become worse.  Interestingly, all of the files that were left open came from Macs that were connecting.

Thanks for the reply Eric.

This server hosts data for one part of the company (servicing 200 users), and it hosts the roaming profiles, users directories, customer files and application data.  All up, there's about 3,000,000 files and about 550,000 folders.

We have a Citrix environment on Windows 2003 server so we don't have any non-Windows clients connecting.

Perhaps I should try another AV product and go from there.

Thanks

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008112414453348?Open&seg=w 

For creating customized package refer below doc
Creating custom client installation packages in the Symantec Endpoint Protection Manager console 

if you already installed SEP you can still modify the components .For this you can go to add/remove programs-->select SEP ---->click on change.It will pop up the wizard and in the second screen select modify and in the third screen you will be able to add/remove any features....

The SEP client is not installed on our Citrix servers.  We use McAfee as SEP would be a dog on terminal servers.

 Thanks...we definitely didn't have any mail components installed then.  I recall checking under Add/Remove Programs and the only option that was checked was AV/AS.

Under AV/AS non of the mail components got installed... Right? 

Try by adding scanning exclusion for ntuser.dat/ntuser.man  files.. 

Why would the mail scanning/checking pieces matter for the file sharing slowness?
Mail should only impact if mail is being used, and it won't be on a server...............

I'm thinking for the file server itself, maybe Stix should try scanning only executable files, to see if that helps.  The server could be overloaded once A/V gets factored in.

 We have a 2003 DC/file server hosting about the same amount and type of data and we haven't had any issues on it with SEP so it has to be a specific issue with 2008.

Try by disabling windows defender and UAC for this server.. 

Both are already disabled

Do you verified these exclusions? 

 Yes

See whether this can help you in this
Configuring opportunistic locking in Windows 

Hi Stix,

By default, SEP's Auto-Protect scans files as they are written from your computer to a remote computer. Auto-Protect also scans files when they are written from a remote computer to your computer.  It is possible to configure whether or not your Auto-Protect trusts files on the remote computers that run Auto-Protect.  You can also specify whether or not your computer should use a cache to store a record of the files that Auto-Protect scans from a network.  Adjusting those settings may improve performance on your Windwos 2008 Serevr.

Configuring Network Scan Settings in Symantec Endpoint Protection

Thanks and best regards,

Mick

You can't in Server 2008 and Vista or later.

I've had to disable it on Server 2003 and it really slows things down to do so! SEP is broken when ops lock is enabled, and Symantec has yet to fix that.
But you can't disable it in 2008.

 Well, the plot thickens...

I investigated the "slowness" myself and discovered that the issue is very specific.

The user's application data directory is redirected to their shares, ie \\FILE-SERVER\user\Application Data

When the users have an xla file in \\FILE-SERVER\user\Application Data\Microsoft\Excel\XLSTART, Excel takes ages to open an Excel file.  If that file isn't in there, Excel opens files immediately.

And the kicker...if Auto Protect is enabled on the file server with the xla file present, Excel takes ages top open files.  If Auto Protect is disabled, Excel opens files immediately even with the xla file still there!

So SEP is doing something with the xla file when Excel opens!

I tried adding an exception for the xla extension and even the whole folder for the user, but the issue still remains.  The trouble is, all the staff must definitely have this xla file present.

I can easily replicate the issue - how do we go about contacting Symantec support?  Do we have to have support purchased?

Any other thoughts now?

I think you've gathered more then enough information to get a good support request going.  I'll leave it to the Symantec employees to handle the details of opening a case.

 In order to open a phone case with Symantec you will have to have Support purchased. Details of how to open a case can be found here:

Process for opening a case to resolve technical issues

http://service1.symantec.com/support/custserv-ent.nsf/854fa02b4f5013678825731a007d06af/1a0a181d52a15af58825757f00655df1?OpenDocument


Cheers
Grant

Have already opened a support case.

The first time on the phone, I was on hold for an hour.  Hung up as I had another appointment.

The second time, I was on hold for an hour and a half then they hung up.