Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 6889 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy updates freezing terminal servers

chavez243

Lately it seems anytime you change a policy in SEC (5.2) and push it out to hosts, terminal servers experience freeze-ups. So far remotely running taskkill against savservice.exe releases the system, but this is a huge issue for us. We have 100s of users on terminal servers and can have them freezing up with every policy update.  

might be especially related to DLP module, but that is just a gut feeling.

:37617


This thread was automatically locked due to age.
  • 0

    during the time the system is frozen, the system event log gets lots of these entered:

    Event Type: Error Event Source: SAVOnAccessControl Event Category: None Event ID: 85 Date:  2/13/2013 Time:  11:51:03 AM User:  N/A Computer: CAWINT32 Description:  File [...irus\Security.dll]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process sdcservice.exe, (start check timestamp [ 1ce0a0a4f0361cb]).

    Data: 0000: 00 00 04 00 04 00 6e 00   ......n. 0008: 00 00 00 00 55 00 3d e0   ....U.=à 0010: f7 00 4a 01 83 01 00 c0   ÷.J.ƒ..À 0018: 00 00 00 00 00 00 00 00   ........ 0020: 00 00 00 00 00 00 00 00   ........ 0028: 00 00 00 00               ....   

    Event Type: Error Event Source: SAVOnAccessControl Event Category: None Event ID: 85 Date:  2/13/2013 Time:  11:51:03 AM User:  N/A Computer: CAWINT32 Description:  File [...l\swc_service.exe]'s scan succeeded following a timeout/busy condition - it is being logged in case it contributed to that condition. Process swi_service.exe, (start check timestamp [ 1ce0a0a4eedec86]).

    Data: 0000: 00 00 04 00 04 00 6e 00   ......n. 0008: 00 00 00 00 55 00 3d e0   ....U.=à 0010: f7 00 4a 01 83 01 00 c0   ÷.J.ƒ..À 0018: 00 00 00 00 00 00 00 00   ........ 0020: 00 00 00 00 00 00 00 00   ........ 0028: 00 00 00 00               ....   

    similar for almon.exe etc....

    :37619
  • 0

    I would say that this is not just terminal servers, I have two vista/7 64bit pcs exhibit the same symptoms. The pc becomes unresponsive and these messages are logged in the event log.

    :37867
  • 0

    Are the appropriate exclusions in place on the systems? Do the systems have sufficient resources available to handle the load?

    I have come across this one a few times (mostly on older laptops) - and in each case it was either poor disk performance, lack of memory, or hardware faults. I have never seen this occur across any of the server fleet or modern endpoint hardware (laptops / desktops / virtuals).

    I know that for the firewall configuration during a policy update, it will temporarily remove all rules and re-add them as per the policy configuration. I am however not sure of the process for antivirus. If suddenly the same behaviour occurs on antivirus, and a high-I/O application that is heavily using the disk is active (and usually has exclusion) - it might temporarily lose that exclusion, and result in the file being scanned. Just a theory, but always something worth investigating.

    :38147