Jump to content
george.h

KES 10.2.4.674 (MR2) virus scan considerably slower [In progress]

Recommended Posts

Hi,

 

When all of our endpoints where on the MR1 release of KES 10 the scheduled on-demand virus scan (normally at 12pm and 12:00am) would typically take 15 mins using the default scan settings. Since they auto-upgraded to MR2 most take considerably longer. Two or three still do it in 15 or so minutes, most of the rest are anywhere from 40 mins to well over an hour, and that is AFTER changing the default scan settings to "By format". I did also install patch D into KSC (1.0.2.434) and also on all the endpoints network agents, installed the MR2 plug-in for KSC and created new policies and tasks.

 

Has something changed with MR2 which could produce these considerably extended scan times?

Share this post


Link to post
Hi,

 

When all of our endpoints where on the MR1 release of KES 10 the scheduled on-demand virus scan (normally at 12pm and 12:00am) would typically take 15 mins using the default scan settings. Since they auto-upgraded to MR2 most take considerably longer. Two or three still do it in 15 or so minutes, most of the rest are anywhere from 40 mins to well over an hour, and that is AFTER changing the default scan settings to "By format". I did also install patch D into KSC (1.0.2.434) and also on all the endpoints network agents, installed the MR2 plug-in for KSC and created new policies and tasks.

 

Has something changed with MR2 which could produce these considerably extended scan times?

 

Hello.

 

Here you can find the list of changes in 10.2.4.674. No major changes to the scanning algorhythm have been made. Please made sure that no external factors are affecting the scan, like large numbers of complex objects that could have been copied onto hosts at approximately the same time you installed the update, or other new areas that could have become part of the scan scope.

 

Thank you!

Share this post


Link to post
Hello.

 

Here you can find the list of changes in 10.2.4.674. No major changes to the scanning algorhythm have been made. Please made sure that no external factors are affecting the scan, like large numbers of complex objects that could have been copied onto hosts at approximately the same time you installed the update, or other new areas that could have become part of the scan scope.

 

Thank you!

 

Thanks I'll have a read through. As an experiment I've changed the scan settings of the type of objectsd/files to scan from "Format" to "Extension". On the default setting of "All" scans took even longer.

 

I doubt that significant changes occurred to almost all of our endpoints at the same time as MR2 was installed (by automatic update) to make such a dramatic increase in scan time.

 

I'll let you know how the test goes.

 

Share this post


Link to post
Hi,

 

We will wait for results.

 

BR

 

Hi,

 

Well that made no difference. They are all essentially taking the same length of time as when set to scan by file format. What is really puzzling is the significant differences I am seeing - screen shot attached.

 

All bar 5 PCs (and the servers) are 3.3/3.4GHz i3/i5 machines (Dell Optiplex 3020 or higher) running Windows 7 64-bit with minimum of 8GB of RAM all with a standard base build. The three quickest are at a remote location at the far end of a VPN tunnel. One of the slowest (9ZFCCC2) is a brand new machine (i5 gen 6) with nothing but the base build on and it is on the same gigabit network, on the same site, as the admin server. A slightly older machine, 6TBLPZ1, is an i3 machine with the same build and yet that is three times quicker. Even an old XP machine with a lot more installed on it, D12BZ1J, is over twice as fast yet is a far lower specification machine.

 

When they were running MR1 the scan times showed far less variation and were typically 15-20 mins.

post-376085-1460447273_thumb.jpg

Share this post


Link to post
Hi,

 

Well that made no difference. They are all essentially taking the same length of time as when set to scan by file format. What is really puzzling is the significant differences I am seeing - screen shot attached.

 

All bar 5 PCs (and the servers) are 3.3/3.4GHz i3/i5 machines (Dell Optiplex 3020 or higher) running Windows 7 64-bit with minimum of 8GB of RAM all with a standard base build. The three quickest are at a remote location at the far end of a VPN tunnel. One of the slowest (9ZFCCC2) is a brand new machine (i5 gen 6) with nothing but the base build on and it is on the same gigabit network, on the same site, as the admin server. A slightly older machine, 6TBLPZ1, is an i3 machine with the same build and yet that is three times quicker. Even an old XP machine with a lot more installed on it, D12BZ1J, is over twice as fast yet is a far lower specification machine.

 

When they were running MR1 the scan times showed far less variation and were typically 15-20 mins.

 

Is there a specific set of data you could task a KES MR1 to scan, and then scan the same data using KES SP1 MR2, which would reproduce the results you describe (slowdown of the scanning)? If you could provide traces of both instances, while only File AV of all components is enabled, the reason could possibly be analyzed.

 

Thank you.

Share this post


Link to post
Is there a specific set of data you could task a KES MR1 to scan, and then scan the same data using KES SP1 MR2, which would reproduce the results you describe (slowdown of the scanning)? If you could provide traces of both instances, while only File AV of all components is enabled, the reason could possibly be analyzed.

 

Thank you.

 

That is going to be rather difficult, not mention very time consuming for me, as all my endpoints have auto-upgraded to MR2. To get useful comparison results I would have to:

 

1. Find a way of disabling upgrading to MR2. How do I do this as I did NOTHING to enable it?

2. Rebuild the newest machine, before it goes into regular use, back to it's factory image then build it up to it's base build.

3. Install KES using the standard install package.

4. Let it auto-upgrade to MR1 (yes that was also done via auto-upgrade with me doing anything).

5. Let it perform several scheduled scans using the same settings as currently used for MR2.

6. Re-enable MR2 auto-upgrade and let it upgrade to MR2.

7. Let it do several more scheduled scans

 

This I think is something Kaspersky are in a far better position to do in their lab.

 

It is that or I go through the hassle of disabling the MR2 auto-upgrade permanently, ripping out MR2 from all the endpoints and re-installing up to MR1 and ignoring MR2, forever. MR2 so far has been nothing but hassle. Why on earth did it require completely new policies and tasks? It should NEVER have been an auto-upgrade for that alone as it caused all my endpoint to become unmanageable until I found that MR2 dumped all the existing tasks and policies, AND needed a new management plug-in.

Edited by george.h

Share this post


Link to post
Is there a specific set of data you could task a KES MR1 to scan, and then scan the same data using KES SP1 MR2, which would reproduce the results you describe (slowdown of the scanning)? If you could provide traces of both instances, while only File AV of all components is enabled, the reason could possibly be analyzed.

 

Thank you.

 

There is one relatively simple thing I could try.

 

I've yet to download the full installation package for KES 10.2.4.674 MR2 and create a remote install package from it. It might be worth doing that then using KavRemover to uninstall KES and KLNA from the newest machine (9ZFCCC2) and then re-install it using the remote install package rather than from the original .424 and upadate to 674 MR2. This might eliminate the possibility that the process of upgrading through 434 to 674 MR2 might itself have caused the protrated scan times.

 

That will be relatively quick to try.

Share this post


Link to post
It is that or I go through the hassle of disabling the MR2 auto-upgrade permanently, ripping out MR2 from all the endpoints and re-installing up to MR1 and ignoring MR2, forever. MR2 so far has been nothing but hassle. Why on earth did it require completely new policies and tasks? It should NEVER have been an auto-upgrade for that alone as it caused all my endpoint to become unmanageable until I found that MR2 dumped all the existing tasks and policies, AND needed a new management plug-in.

 

Note that the entire case as you describe it, appears to be environment-specific.

On-demand scans are evaluated during internal testing of new versions, and such a significant degradation would not have gone unnoticed were it universal. So currently we lack conditions required to reproduce.

If possible, please provide more details on the scenario. Checking if only the upgraded versions have the issue could be helpful as well.

 

Thank you!

Share this post


Link to post
Note that the entire case as you describe it, appears to be environment-specific.

On-demand scans are evaluated during internal testing of new versions, and such a significant degradation would not have gone unnoticed were it universal. So currently we lack conditions required to reproduce.

If possible, please provide more details on the scenario. Checking if only the upgraded versions have the issue could be helpful as well.

 

Thank you!

 

Well I've tried uninstalling KES using Kavremvr and re-installing 10.2.4.674 MR2 using a installation package rather than starting with the original KES 10.2.2.10535 and letting it auto-upgrade. No difference. The scheduled on-demand scan still took 1 hour 4 mins on a new build machine.

 

What is the simplest way, if I uninstall KES1.2.674 MR2 from this machine and re-install 10.2.2.10535, of preventing it auto-upgrading to MR so that I can do a comparative scan?

 

That is the only way I can provide concrete comparative data since ALL endpoints were auto-upgraded to MR2, The first I knew was when they all needed rebooting after the upgrade. It was shortly after that when I realised KSC could no longer be used to manage them:

 

https://forum.kaspersky.com/index.php?showtopic=347757

 

without a lot of, what seems, pointless installing of additional management plugins and creating new policies etc.

 

 

Share this post


Link to post
Well I've tried uninstalling KES using Kavremvr and re-installing 10.2.4.674 MR2 using a installation package rather than starting with the original KES 10.2.2.10535 and letting it auto-upgrade. No difference. The scheduled on-demand scan still took 1 hour 4 mins on a new build machine.

 

What is the simplest way, if I uninstall KES1.2.674 MR2 from this machine and re-install 10.2.2.10535, of preventing it auto-upgrading to MR so that I can do a comparative scan?

 

That is the only way I can provide concrete comparative data since ALL endpoints were auto-upgraded to MR2, The first I knew was when they all needed rebooting after the upgrade. It was shortly after that when I realised KSC could no longer be used to manage them:

 

https://forum.kaspersky.com/index.php?showtopic=347757

 

without a lot of, what seems, pointless installing of additional management plugins and creating new policies etc.

 

To start from easier approach, please consider that different versions of KES are using different tasks, including the scan task. If you still have the older task, you could compare its settings against the new one, or provide exports of both.

 

Thank you.

Share this post


Link to post
To start from easier approach, please consider that different versions of KES are using different tasks, including the scan task. If you still have the older task, you could compare its settings against the new one, or provide exports of both.

 

Thank you.

 

I can't compare the older scan task to the newer as I no longer have any endpoints running the older version of KES and the older scan tasks do not work with MR2. I cannot "rollback" any of the endpoints to the older version to compare unless I can disable the auto-upgrade to 10.2.4.674, otherwise on the first update they upgrade back to .674.

 

So what is the easiest way of disabling the auto-upgrade to .674?

Share this post


Link to post
I can't compare the older scan task to the newer as I no longer have any endpoints running the older version of KES and the older scan tasks do not work with MR2. I cannot "rollback" any of the endpoints to the older version to compare unless I can disable the auto-upgrade to 10.2.4.674, otherwise on the first update they upgrade back to .674.

 

So what is the easiest way of disabling the auto-upgrade to .674?

 

The suggestion was to check settings of both tasks. There are several options (like scanning compound objects, or large files) which may greatly affect task performance and which would be a reasonable explanation to the difference.

The MR2 update needs to be initially approved if deployed via KSC, but once this happens, it is being auto-deployed with database updates, same as with standalone installations. Once again, no such behavior has ever been reported with this particular update, or during testing, so it is highly suggested that you refer to task settings first.

 

Thank you.

Share this post


Link to post
The suggestion was to check settings of both tasks. There are several options (like scanning compound objects, or large files) which may greatly affect task performance and which would be a reasonable explanation to the difference.

The MR2 update needs to be initially approved if deployed via KSC, but once this happens, it is being auto-deployed with database updates, same as with standalone installations. Once again, no such behavior has ever been reported with this particular update, or during testing, so it is highly suggested that you refer to task settings first.

 

Thank you.

 

Both task settings are the same - essentially the default apart from File Type which I've tried on all three settings, All, Files Scanned by Format and Files Scanned by Extension. I've also tried (with MR2) setting Scan only new and changed files - no difference.

 

I NEVER approved the upgrade to MR2, it just got pushed out. Where do I approve it as I've never seen any approval request? Now I cannot find any way to STOP a endpoint being upgraded. How on earth to I block endpoints being auto-upgraded to MR2.

 

This is now becomming a serious issue. When MR2 was first pushed out without any authorisation I lost control the endpoints which stopped doing regular updates and scans. Only when investigating that did I find that MR2 actually required a new admin plugin AND new policies and tasks to be created. Now I have control of them and the scan time on most of them has drastically increased and the performance of them drops unacceptably during the scan. Reminds me of the fiasco a year or two ago with the auto-update that crippled thousands of endpoints - wich I also got hit by.

Edited by george.h

Share this post


Link to post

Hi,

 

How on earth to I block endpoints being auto-upgraded to MR2.

As a workaround to your problrm you could disable application modules update option at update task.

 

Thank you!

Share this post


Link to post
Hi,

As a workaround to your problrm you could disable application modules update option at update task.

 

Thank you!

 

Hi Nikolay, I was about to say I'd tried that and it didn't work, but when I double checked I found I'd unticked it in the wrong update task. Just removing KES (again!) using the removal tool. I'll update you once it has 10.2.2.10535 installed again. If it stays on 10.2.2.10535 I'll do some scans for comparison.

Share this post


Link to post
Hi Nikolay, I was about to say I'd tried that and it didn't work, but when I double checked I found I'd unticked it in the wrong update task. Just removing KES (again!) using the removal tool. I'll update you once it has 10.2.2.10535 installed again. If it stays on 10.2.2.10535 I'll do some scans for comparison.

 

Thank you for providing the info. Please let us know the result. Note that for clarity, scanning needs to be done on the same set of data.

 

Thank you.

Share this post


Link to post
Thank you for providing the info. Please let us know the result. Note that for clarity, scanning needs to be done on the same set of data.

 

Thank you.

 

Hi - didn't work. It STILL auto-upgraded to MR2.

 

I used kavremvr to uninstall KES and KLNA, created a Test Group under Managed Computers and added it as an exclusion on ALL tasks. I then created two new update tasks and two new virus scan tasks just for the test group - one of each for MR2 and one of each for NON MR2. I ensured BOTH update tasks (MR2 and non-MR2) had the tick in Update Application Modules removed.

 

I then used KSC to install 10.2.2.10535 to the machine and place it into the test group at the end of installation. That worked ok. Two hours later the PC was showing the yellow triangle on the Kasperky icon in the notification area saying the PC needed to be restarted and it was now showing the version as 10.2.4.674 MR2.

 

How do I stop it???

 

Share this post


Link to post
Hi - didn't work. It STILL auto-upgraded to MR2.

 

I used kavremvr to uninstall KES and KLNA, created a Test Group under Managed Computers and added it as an exclusion on ALL tasks. I then created two new update tasks and two new virus scan tasks just for the test group - one of each for MR2 and one of each for NON MR2. I ensured BOTH update tasks (MR2 and non-MR2) had the tick in Update Application Modules removed.

 

I then used KSC to install 10.2.2.10535 to the machine and place it into the test group at the end of installation. That worked ok. Two hours later the PC was showing the yellow triangle on the Kasperky icon in the notification area saying the PC needed to be restarted and it was now showing the version as 10.2.4.674 MR2.

 

How do I stop it???

 

You can still perform the scan with the version that wants to upgrade: until you restart, its drivers are not updated.

In order to prevent KES from upgrading at all, you could install it locally (not via KSC) and have it update from KL servers instead of KSC, and not enabling module update.

All the complications are likely due to the fact that downgrading is not really a supported scenario for 10.2.2.10535 and MR2.

 

Thank you.

Share this post


Link to post
You can still perform the scan with the version that wants to upgrade: until you restart, its drivers are not updated.

In order to prevent KES from upgrading at all, you could install it locally (not via KSC) and have it update from KL servers instead of KSC, and not enabling module update.

All the complications are likely due to the fact that downgrading is not really a supported scenario for 10.2.2.10535 and MR2.

 

Thank you.

 

Hi Kirill,

 

Thanks for the suggestion, it proved very useful. When I checked the results of events on the test machine 9ZFCCC2 (show in Scan Times Screen Shot A) you can see the initial installation of 10.2.2.10535 and the initial virus scan I started at 9:39am which completed at 10:30am (50 minutes). Later though you can see it did actually do the scheduled update at 11:00am followed by the scheduled virus scan at 12:00pm - that took only 22 mins. Once it had completed the upgrade to 10.2.4.674 MR2 the next two scans (one manual and one scheduled) took 48 mins. Since then it has been taking around the same time.

 

Unfortunately the modify task events make the picture a little confusing. In addition that machine will no longer be available for testing for a while.

 

For the moment I have implemented a work around which depends upon the fact that the Network Agent patch "D" fixes the issue of waking up a machine using WOL and having it shut down again if it was powered off, but NOT if it was already powered on - at least I'm assuming the agent patch "D" fixes that. I have now set all the desktop machines two do a single daily full scan at 00:15, being woken up via WOL and then shut down again afterwards.

 

However this is just a workaround. I'll have gather more data as a test machine becomes available.

 

Aplogies for the low resolution of the screen shots. I had to resize them to make them fit under the 300K upload limit.

post-376085-1460745732_thumb.jpg

Share this post


Link to post
You can still perform the scan with the version that wants to upgrade: until you restart, its drivers are not updated.

In order to prevent KES from upgrading at all, you could install it locally (not via KSC) and have it update from KL servers instead of KSC, and not enabling module update.

All the complications are likely due to the fact that downgrading is not really a supported scenario for 10.2.2.10535 and MR2.

 

Thank you.

 

Second screen shot attached...

post-376085-1460745922_thumb.jpg

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.