HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Array Performance and Data Protection
Showing results for 
Search instead for 
Did you mean: 

virus scan storm

Go to solution
Occasional Contributor

virus scan storm

I received a Cache under-provisioned error.

Happened during a scheduled anti-virus scan.

I guess you can call it a virus scan storm.

Where to go from here? Any suggestions ?

Esteemed Contributor

Re: virus scan storm

the 2.2 code and higher will prevent random scans and write from flushing the cache. If your not on those code levels, you should upgrade.  The other way to work around this is to write a script to disable cache on the effected volume during the scan, and then turn it back on.

Occasional Contributor

Re: virus scan storm

We are on code. So we are already on that code level.

Respected Contributor

Re: virus scan storm

Move away from traditional AV scanning, protect your endpoints and use AV scanning at the hypervisor level is much more efficient and solves your problems.

The IO storms during scans are a very common and there is no solution other than the above, you can mitigate the effect by offsetting the scans. NOTE: this offsetting of the times is something you should also apply to the application of WSUS updates!!




Re: virus scan storm

If you are using Symantec Endpoint Protection, I would look for a feature called Insight Cache.  If you're forced (i.e. compliance) to do 'absolute' FULL scans on every machine every day or week, and your AV scan policies or endpoint groups aren't staggered, I would highly recommend an antivirus solution that compares file hashes on the scanned target, instead of actually scanning each and every file.  You might not eliminate all of the load, but it definitely was noticeable for us.


Re: virus scan storm

We have Symantec because someone finds it add's value.  I could argue that point but I dont. 

Instead we run the latest version 12.1.6 (?) the version that allows for a "light" client with drastically reduced definition file sizes and updates.  The down side is that it only has definitions for the latest malware.  We also have turned off scheduled scans.  We only scan on file modification, which for 99% of the files on a VM are never touched after they arrive.

We have lot's of other layers in the environment, PaloAlto, FireEye...etc which actually catch/block stuff.

We also run WSUS updates in the wee hours of the morning.