Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3033
  • Last Modified:

Symantec Endpoint Protection Manager - Rtvscan.exe causes profile unload unsuccessful

Hello,

We are latest version of Symantec Endpoint Protection Manager (v11.0.6) on Terminal Server 2003 R2 x64 Standard Edition. Due to problems with profile unload, we installed UPH Hive Clean tool (x64 bit) downloaded from TechNet.

The server is very slow and Rtvscan.exe is taking more than 10% CPU usage. In the Event viewer i found several warnings and errors. The below log is an information type:

The following handles in user profile hive FLUP\User52 (S-1-5-21-1962641835-73086011-4158921976-1127) have been remapped because they were preventing the profile from unloading successfully:
 
Rtvscan.exe (504)
  HKCU\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks (0x9e8)

How can I resolve this? Thanks!
0
SrinathS
Asked:
SrinathS
  • 5
  • 3
1 Solution
 
SrinathSAuthor Commented:
I just updated Symantec EndPoint Protection Manager to latest version v11.0 RU6 MP1. I'm monitoring the event log. I will update this question accordingly.
0
 
SrinathSAuthor Commented:
Upgraded to latest version, still encountering the same error in Event log. The server becomes slow and unresponsive due this process. Symantec.
0
 
Hypercat (Deb)Commented:
How did you originally install SEP on this server? It definitely needs to be installed as a shared server app (like all TS apps using the TS-specific installation steps) so that it will not run a separate process in each user's session. Also, you need to be sure NOT to install Proactive Threat Protection, as this function of SEP isn't supported on any server operating system.  Here are a couple of relevant articles, if you think this might be your problem:
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/21894dd84e8bbf97c125738c00656f6f?OpenDocument
http://www.symantec.com/connect/sites/default/files/SEP%20on%20Terminal%20Servers.pdf
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
jimmymcp02Commented:
0
 
SrinathSAuthor Commented:
@hypercat,

Our previous support person install this application 1 year back. I followed the installation instructions correctly.

@jimmymcp02,

Yes, I already updated from RU6A to MP1. Still the same problem. Symantec Rtvscan.exe is conflicting with UPHclean.exe process. I added the UPHclean.exe to the exception list, still the same problem!
0
 
Hypercat (Deb)Commented:
Have you looked at this article:
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/e003dc4eb56faea7ca2575f9000a75ab?OpenDocument
You may be able to resolve this issue by excluding the RTVScan process as described.  I've not run into this myself, but I would give it a try.
0
 
SrinathSAuthor Commented:
@hypercat,

I added the process rtvscan.exe to the UPHClean process exclusion list by following the Symantec instructions. I log-off and log-in multiple times. I found these warning and information alerts in the Event Log:

Event ID: 1527
Windows saved user TEST-DOMAIN\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Followed by Information Event ID: 1516
Windows unloaded user TEST-DOMAIN\Administrator registry when it received a notification that no other applications or services were using the profile.
0
 
Hypercat (Deb)Commented:
Those two events are normal with a process like RTVScan especially when logging on with an Administrator account. Try logging on as a regular user and see if the error message still appears in the logs.
0
 
SrinathSAuthor Commented:
I login as regular user and it displays the above informational message followed by warning message. But as per the message description, I can safely ignore the warning message.

Followed by Information Event ID: 1516
Windows unloaded user TEST-DOMAIN\Administrator registry when it received a notification that no other applications or services were using the profile.

The log-in and log-off speed is increased! Thanks for your help!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now