Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Symantec Endpoint Protection Manager - Rtvscan.exe causes profile unload unsuccessful

Posted on 2010-08-20
10
Medium Priority
?
3,026 Views
Last Modified: 2013-12-09
Hello,

We are latest version of Symantec Endpoint Protection Manager (v11.0.6) on Terminal Server 2003 R2 x64 Standard Edition. Due to problems with profile unload, we installed UPH Hive Clean tool (x64 bit) downloaded from TechNet.

The server is very slow and Rtvscan.exe is taking more than 10% CPU usage. In the Event viewer i found several warnings and errors. The below log is an information type:

The following handles in user profile hive FLUP\User52 (S-1-5-21-1962641835-73086011-4158921976-1127) have been remapped because they were preventing the profile from unloading successfully:
 
Rtvscan.exe (504)
  HKCU\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks (0x9e8)

How can I resolve this? Thanks!
0
Comment
Question by:SrinathS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
10 Comments
 

Author Comment

by:SrinathS
ID: 33490025
I just updated Symantec EndPoint Protection Manager to latest version v11.0 RU6 MP1. I'm monitoring the event log. I will update this question accordingly.
0
 

Author Comment

by:SrinathS
ID: 33493494
Upgraded to latest version, still encountering the same error in Event log. The server becomes slow and unresponsive due this process. Symantec.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 33495345
How did you originally install SEP on this server? It definitely needs to be installed as a shared server app (like all TS apps using the TS-specific installation steps) so that it will not run a separate process in each user's session. Also, you need to be sure NOT to install Proactive Threat Protection, as this function of SEP isn't supported on any server operating system.  Here are a couple of relevant articles, if you think this might be your problem:
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/21894dd84e8bbf97c125738c00656f6f?OpenDocument
http://www.symantec.com/connect/sites/default/files/SEP%20on%20Terminal%20Servers.pdf
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 20

Expert Comment

by:jimmymcp02
ID: 33500671
0
 

Author Comment

by:SrinathS
ID: 33501557
@hypercat,

Our previous support person install this application 1 year back. I followed the installation instructions correctly.

@jimmymcp02,

Yes, I already updated from RU6A to MP1. Still the same problem. Symantec Rtvscan.exe is conflicting with UPHclean.exe process. I added the UPHclean.exe to the exception list, still the same problem!
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 2000 total points
ID: 33523286
Have you looked at this article:
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/e003dc4eb56faea7ca2575f9000a75ab?OpenDocument
You may be able to resolve this issue by excluding the RTVScan process as described.  I've not run into this myself, but I would give it a try.
0
 

Author Comment

by:SrinathS
ID: 33524221
@hypercat,

I added the process rtvscan.exe to the UPHClean process exclusion list by following the Symantec instructions. I log-off and log-in multiple times. I found these warning and information alerts in the Event Log:

Event ID: 1527
Windows saved user TEST-DOMAIN\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Followed by Information Event ID: 1516
Windows unloaded user TEST-DOMAIN\Administrator registry when it received a notification that no other applications or services were using the profile.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 33524346
Those two events are normal with a process like RTVScan especially when logging on with an Administrator account. Try logging on as a regular user and see if the error message still appears in the logs.
0
 

Author Comment

by:SrinathS
ID: 33524435
I login as regular user and it displays the above informational message followed by warning message. But as per the message description, I can safely ignore the warning message.

Followed by Information Event ID: 1516
Windows unloaded user TEST-DOMAIN\Administrator registry when it received a notification that no other applications or services were using the profile.

The log-in and log-off speed is increased! Thanks for your help!
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question