topic Re: virus scan storm in Array Performance and Data Protection

virus scan storm

jkim13 — Tue, 16 Feb 2016 17:06:16 GMT

I received a Cache under-provisioned error.

Happened during a scheduled anti-virus scan.

I guess you can call it a virus scan storm.

Where to go from here? Any suggestions ?

Re: virus scan storm

rugby0134 — Tue, 16 Feb 2016 17:17:49 GMT

the 2.2 code and higher will prevent random scans and write from flushing the cache. If your not on those code levels, you should upgrade. The other way to work around this is to write a script to disable cache on the effected volume during the scan, and then turn it back on.

Re: virus scan storm

jkim13 — Tue, 16 Feb 2016 18:06:35 GMT

We are on 2.3.9.2. code. So we are already on that code level.

Re: virus scan storm

chris24 — Wed, 24 Feb 2016 10:00:04 GMT

Move away from traditional AV scanning, protect your endpoints and use AV scanning at the hypervisor level is much more efficient and solves your problems.

The IO storms during scans are a very common and there is no solution other than the above, you can mitigate the effect by offsetting the scans. NOTE: this offsetting of the times is something you should also apply to the application of WSUS updates!!

Cheers,

Chris

Re: virus scan storm

alex_goltz — Fri, 26 Feb 2016 17:27:20 GMT

If you are using Symantec Endpoint Protection, I would look for a feature called Insight Cache. If you're forced (i.e. compliance) to do 'absolute' FULL scans on every machine every day or week, and your AV scan policies or endpoint groups aren't staggered, I would highly recommend an antivirus solution that compares file hashes on the scanned target, instead of actually scanning each and every file. You might not eliminate all of the load, but it definitely was noticeable for us.

Re: virus scan storm

lindy37 — Tue, 01 Mar 2016 02:56:33 GMT

We have Symantec because someone finds it add's value. I could argue that point but I dont.

Instead we run the latest version 12.1.6 (?) the version that allows for a "light" client with drastically reduced definition file sizes and updates. The down side is that it only has definitions for the latest malware. We also have turned off scheduled scans. We only scan on file modification, which for 99% of the files on a VM are never touched after they arrive.

We have lot's of other layers in the environment, PaloAlto, FireEye...etc which actually catch/block stuff.

We also run WSUS updates in the wee hours of the morning.