Troubleshooting slow boot times in Symantec Endpoint Protection
search cancel

Troubleshooting slow boot times in Symantec Endpoint Protection

book

Article ID: 151664

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Machines are slow to boot after installing Symantec Endpoint Protection (SEP).

Symptoms
Increased time waiting to log in to the machine when Symantec Antivirus or Symantec Endpoint Protection are installed. The computer may seem to hang on "Applying Personal Settings."

 

Cause

There are multiple potential causes for this issue.

Resolution

Establish Boot times and check for Mapped Drives:

  1. Establish boot time with customer's full application suite installed on the machine without SEP installed while off the network.
  2. Compare this time against the boot time while SAV or SEP is installed and auto-protect is enabled while off the network. By default, Auto-protect enables at system startup, and loads when the SAVRT driver initializes. Auto-protect can be configured to load at service startup (which is after win-logon in the boot process.) It is important to know when Auto-protect loads because all files accessed by the system during the boot process will be checked by Auto-protect which increases the time it takes for the system to fully boot. Symantec Strongly recommends leaving Auto-protect to load at system startup due to the threat of network aware infectors that have the ability to compromise a machine before a user logs on. Please see the Technical Information section of this document for steps to configure when Auto-protect loads.
  3. Compare the previous time against a boot up of the machine where Auto-protect is enabled and the machine is now on the network. If there is a significant increase in time, check to see if there are mapped drives on the machine. When mapped drives are configured to load at system startup, which is checked by default when creating a mapped drive, Auto-protect will maintain a scanning thread for this activity until the drive successfully connects. Network latency will increase the time it takes for the system to become usable.
  4. Disable all Mapped drives and compare the boot time to the boot time where the drives initialize and connect at startup. If there is a significant improvement, this might point to a network based problem.


Other factors that impact boot times:

  • If a client is managed by a parent server, it checks in immediately with that server once Rtvscan.exe starts. If there are definitions available, the client will download these which can result in a performance impact during the boot process through win-logon. This wait is typically extended if the client must download a full virus definition catalogue.
  • By default, Symantec Endpoint Protection run a startup quick-scan of the file system at system startup which is a low impact scan of common areas where infectors are found. For information on configuring the startup scan, please see the Technical Information portion of this document.
  • Check to see if the computer is using roaming profiles. Roaming profiles can involve a substantial amount of information being transferred from another computer in the Windows domain to this local computer, especially if this is the first time that a specific user has logged in to this workstation. Scanning of that profile either by the remote server or the local client can cause delays.




References
Very useful blog about identifying the cause of slow logons with Process Monitor (procmon) http://blogs.technet.com/markrussinovich/archive/2010/01/13/3305263.aspx



Technical Information
 

How to configure when Auto-protect loads for Symantec Antivirus managed clients:

  1. Launch Symantec System Center and unlock the applicable server group.
  2. Right click either the server group or parent server -> all tasks -> Symantec Antivirus -> Client Auto-Protect Options -> Advanced button
  3. In the "Startup Options" section, select either System Start for Auto-protect to load early in the boot phase, or select Symantec Antivirus start for Auto-protect to load when the Symantec AntiVirus service starts (after win-logon.)


How to configure when Auto-protect loads for Symantec Endpoint Protection managed clients:

  1. Launch the Symantec Endpoint Protection Manager.
  2. Select the Policies tab in the left-hand pane.
  3. Under "View Policies" select Antivirus and Antispyware
  4. In the right-hand window, select the policy that you wish to change Auto-protect's loading order for, then in the "Tasks" section, select Edit the policy.
  5. In the left-hand column, select File System Auto-Protect
  6. Select the Advanced tab
  7. In the "Startup and Shutdown" section you will be able to specify when Auto-Protect loads.



How to disable/enable Startup and Quick Scans within the Symantec Endpoint Protection Manager

Userenv.log
Windows' User Environmnet log (C:\WINDOWS\Debug\UserMode\userenv.log) is an excellent source of information about slow boot-ups, group policy application and profile loading.

"Where enabling Userenv logging is necessary to see exactly what is happening with group policy and profile loading.... One thing to remember is that if the logging is not enabled then do not try and interpret the log since very minimal logging is enabled by default!" (http://www.ditii.com/2008/11/12/how-to-read-a-userenv-log-in-vista-or-windows-server-2008-part-1/ ) Debug info for non-Vista: 221833 How to enable user environment debug logging in retail builds of Windows http://support.microsoft.com/kb/221833

Understanding How to Read a Userenv Log – Part 1 http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Understanding How to Read a Userenv Log – Part 2 http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-2.aspx
Interpreting Userenv log files http://technet.microsoft.com/en-us/library/cc786775(WS.10).aspx

LoadOrder
Sysinternals have a tool (LoadOrd.exe) which reveals the order that a system loads device drivers and services. http://technet.microsoft.com/en-us/sysinternals/bb897416.aspx

Event Logs
Examining the Windows System and Application Event Logs will also reveal much information about what is occurring during a boot. The following events are logged whenever a computer boots. Are there any errors which consistently appear afterward? Perhaps about services or minifilters that are attempting to load, but fail? Is SEP or SAV dependent on those? Will resolving that issue ensure prompt boot times?
 

Type: Information
Date: 08/02/2010
Time: 14:15:05
Event: 6005
Source: EventLog
Category: None
User: N/A
Computer: COMPUTERNAME
Description: The Event log service was started.

Type: Information
Date: 08/02/2010
Time: 14:15:05
Event: 6009
Source: EventLog
Category: None
User: N/A
Computer: COMPUTERNAME
Description: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Multiprocessor Free.