How to turn off the "File System Real-time Protection" in Symantec Antivirus Corporate Edition?

[Phil Weldon]

The request might have something to do with CPU resources. What might not
be noticed with a 3 GHz Pentium 4 in a workstation might be very noticable
if the CPU can't keep up with disk bandwidth. Without knowing that keep
piece of information... Amdahl/Case Rule: A balanced computer system needs
about 1 MByte of memory and 1 MByte per second of I/O bandwidth per MIPS of
CPU performance.

--
Phil Weldon, pweldonatmindjumpdotcom
For communication,
replace "at" with the 'at sign'
replace "mindjump" with "mindspring."
replace "dot" with "."

 

[Bruce Chambers]

Greetings --

Ask your network administrator. It would appear that he has
configured SAV so that workstation users cannot alter the client's
configuration.

Bruce Chambers

--
Help us help you:




You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Dmitriy Kopnichev]

The "File System Real-time Protection" checks files before moving them to
another folder slowing the moving down 5 times.

 

[Dmitriy Kopnichev]

The administrator doesn't like me and doesn't know how to turn off the
mandatory "File System Real-time Protection" for my computer. The
administrator who turned on doesn't work here anymore.

 

[Dmitriy Kopnichev]

I don't work with administrator rights all the time, I install all critical
updates, I antivirus check all incoming files. How could a virus run on my
computer?
The administrator doesn't like me and doesn't know how to turn off the
mandatory "File System Real-time Protection" for my computer. The
administrator who turned on doesn't work here anymore.

 

[Dmitriy Kopnichev]

MosMap http://www.moscowmap.ru/ works 5 times slower with the "File System
Real-time Protection" turned on, for example.

 

[Dmitriy Kopnichev]

Should I have 1800 MByte of RAM and 1800 MByte per second of I/O bandwidth,
if my CPU is P4-1800? How to know my I/O bandwidth?

 

[Dmitriy Kopnichev]

The administrator doesn't like me and doesn't know how to turn off the
mandatory "File System Real-time Protection" for my computer. The
administrator who turned on doesn't work here anymore.

 

[cquirke (MVP Win9x)]

On Wed, 28 Apr 2004 13:30:36 +0400, "Dmitriy Kopnichev"

I don't work with administrator rights all the time,

I install all critical updates,

Good ;-)

I antivirus check all incoming files.

Nice, FWIW.

How could a virus run on my computer?

Let me count the ways:
- because it's too new for the av to detect
- because there's a missed frontier point thru which stuff comes
- exploitation of an uptached hole (negative time-to-exploit)
- on-demand av limitations of malware scanning

The last is a biggie, in the current age of pwd-encrypted .zip that
can't be scanned until they start to unpack themselves.

Put it this way; if this were to happen (or circumstances arose where
this was suspected) and you were the only PC on the system with
real-time av disabled, you'd be on the back foot. All the more so if
you'd used tech steps to subvert the risk policy intended by the org.

I'd have to have a really compelling reason to go there, and I don't
think the paltry speed gains from avoiding resident av would be wirth
it. Either the resident av really sucks, or your PC is old and slow,
and if the latter, then leave as-is to motivate for a faster PC

Tip: When org ppl phone you, you can say things like "hang on... just
waiting for it to load..." etc. whenever you have to look something

The administrator doesn't like me and doesn't know how to turn off the
mandatory "File System Real-time Protection" for my computer. The
administrator who turned on doesn't work here anymore.

Hm. Lots of stories there, I'd bet.

<hippo-chomp of accumulated quotage>

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[Dmitriy Kopnichev]

A virus can't do much if a Windows XP Pro is logged on with user rights.

 

[Phil Weldon]

Sorry for the typo. The I/O bandwidth should be 1 Mbit per second, not 1
MByte per second. The Amdahl/Case Rule is a 'rule of thumb' like 'Moore's
Law, and only approximate. A 'Northwood' 1.8 GHz Pentium might have 2,400
MIPS, indicating 2.4 GBytes memory and 2.4 GBits I/O bandwidth by the
Amdahl/Case Rule. The I/O bandwidth for a 32-bit, 33 MHz PCI bus would be
32 X 33 MHz ~= 1 GBit/second. The I/O bandwidth for a 32-bit 66 MHz X 8 AGP
bus would be ~= 16 GBit/second, but much of the AGP bus bandwidth is unused
for most applications. A 66 MHz 64-bit PCI bus is available on server
motherboards and a faster replacement for the PCI bus is soon to appear in
general motherboards; server applications approach the 1 MByte per MIPS
ratio, and for general workstation use, the 1 MByte per MIPS ratio is
approached if the swap file is included.

I suggest you use the performance data available in 'Task Manager' (select
'Processes', 'View', 'Select Columns') to find out where your bottleneck is.

--
Phil Weldon, pweldonatmindjumpdotcom
For communication,
replace "at" with the 'at sign'
replace "mindjump" with "mindspring."
replace "dot" with "."

 

[Dmitriy Kopnichev]

What Columns to use to find out where the bottleneck is? How to know by
numbers in the Column where the bottleneck is?

 

[Brian]

The administrator doesn't like me and doesn't know how to turn off the
mandatory "File System Real-time Protection" for my computer. The
administrator who turned on doesn't work here anymore.

Any good network admin should know how to operate the software for which
they are responsible. If they don't know, they should find out. Unless there
is a specific reason that they won't turn it off. That's up to the manager
of your IT department to determine.

 

[Bill Sanderson]

I hear 'ya.

But think about it: If the product really had that effect on everyone who
uses it, would it survive in the market very long?

Phil Weldon might be right--maybe your machine has a horsepower situation
which is just marginal enough that it becomes a disaster with Nav corporate
running.

I tend to suspect a bug--possibly an OS bug, rather than just NAV by
itself--which is having this effect.

Have you tested transfers over several paths, to compare?

For example--if your normal transfers are from your workstation to a Windows
2000 server, what about the same transfer from your workstation to a Windows
XP workstation, or a Windows 2000 Pro workstation?

Any differences?

 

[Bill Sanderson]

How are you turning it off, to make this comparison--if you can't get the
administrator to do this?

 

[Bill Sanderson]

Unless it exploits a vulnerability which allows for privelege escalation.

A good many vulnerabilities do allow for this sort of issue.

There's no perfect solution here. I've personally seen a fair number of
viruses which arrived at my home box before the virus definitions which
would have detected them arrived from the antivirus vendors. So--you can't
depend on the antivirus vendors.

Patching is good, but look at the time between the initial report of a
vulnerability, and the public availability of the patch which closes that
vulnearability. It can be very long.

I don't know how large an enterprise you work with, but is everyone really
experiencing this level of slowdown with the real-time scanning in effect?

I still think somethings broken that can be fixed--without turning off the
real-time scan.
(and at this point its a bias rather than something based on any facts,
'cause facts are hard to come by in this thread.) I did look at the site
you referenced. It uses a good bit of Java, which I could imagine might
involve lots of little files. It also involves variables such as which Java
engine, and what version of that engine.

 

[Bill Sanderson]

The administrator doesn't like me and doesn't know how to turn off the
mandatory "File System Real-time Protection" for my computer. The
administrator who turned on doesn't work here anymore.

Administrators not wanting to open things up for the users is normal
everywhere in the world, I think!

 

[Phil Weldon]

I use Windows 2000 Professional and Windows 2000 Professional, and I use the
'Microsoft Windows 2000 Professional Resource Kit', a 3 kilogram book and
CD-ROM that is a good source of answers for such questions. I'm sure the
'Windows XP Professional Resource Kit' is just as good. The book I have has
165 pages on monitoring and analyzing performance.

There are about 20 columns selectable in 'Task Manager', and the 'Process
Viewer' (Pviewer.exe) is also useful.

Windows XP 'Help' should give information on how to use performance counters
for trouble shooting bottlenecks.



--
Phil Weldon, pweldonatmindjumpdotcom
For communication,
replace "at" with the 'at sign'
replace "mindjump" with "mindspring."
replace "dot" with "."

 

[Dmitriy Kopnichev]

Moving 7000 files to a CD-RW drive slowed down 10 times after starting
Symantec Antivirus Client Service.
Few people move 7000 files at once or use map programs like MosMap, that's
why they don't notice the slowing down.
File names of files being moved appear in "File System Real-time Scan
Statistics" before they are actually moved.

 

[Dmitriy Kopnichev]

What is the 'Process Viewer' (Pviewer.exe)?
What does "I use Windows 2000 Professional and Windows 2000 Professional"
mean?