Symantec Endpoint Protection Manager - Rtvscan.exe causes profile unload unsuccessful

Hello,

We are latest version of Symantec Endpoint Protection Manager (v11.0.6) on Terminal Server 2003 R2 x64 Standard Edition. Due to problems with profile unload, we installed UPH Hive Clean tool (x64 bit) downloaded from TechNet.

The server is very slow and Rtvscan.exe is taking more than 10% CPU usage. In the Event viewer i found several warnings and errors. The below log is an information type:

The following handles in user profile hive FLUP\User52 (S-1-5-21-1962641835-73086011-4158921976-1127) have been remapped because they were preventing the profile from unloading successfully:
 
Rtvscan.exe (504)
  HKCU\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks (0x9e8)

How can I resolve this? Thanks!
SrinathSAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Hypercat (Deb)Connect With a Mentor Commented:
Have you looked at this article:
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/e003dc4eb56faea7ca2575f9000a75ab?OpenDocument
You may be able to resolve this issue by excluding the RTVScan process as described.  I've not run into this myself, but I would give it a try.
0
 
SrinathSAuthor Commented:
I just updated Symantec EndPoint Protection Manager to latest version v11.0 RU6 MP1. I'm monitoring the event log. I will update this question accordingly.
0
 
SrinathSAuthor Commented:
Upgraded to latest version, still encountering the same error in Event log. The server becomes slow and unresponsive due this process. Symantec.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Hypercat (Deb)Commented:
How did you originally install SEP on this server? It definitely needs to be installed as a shared server app (like all TS apps using the TS-specific installation steps) so that it will not run a separate process in each user's session. Also, you need to be sure NOT to install Proactive Threat Protection, as this function of SEP isn't supported on any server operating system.  Here are a couple of relevant articles, if you think this might be your problem:
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/21894dd84e8bbf97c125738c00656f6f?OpenDocument
http://www.symantec.com/connect/sites/default/files/SEP%20on%20Terminal%20Servers.pdf
0
 
jimmymcp02Commented:
0
 
SrinathSAuthor Commented:
@hypercat,

Our previous support person install this application 1 year back. I followed the installation instructions correctly.

@jimmymcp02,

Yes, I already updated from RU6A to MP1. Still the same problem. Symantec Rtvscan.exe is conflicting with UPHclean.exe process. I added the UPHclean.exe to the exception list, still the same problem!
0
 
SrinathSAuthor Commented:
@hypercat,

I added the process rtvscan.exe to the UPHClean process exclusion list by following the Symantec instructions. I log-off and log-in multiple times. I found these warning and information alerts in the Event Log:

Event ID: 1527
Windows saved user TEST-DOMAIN\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Followed by Information Event ID: 1516
Windows unloaded user TEST-DOMAIN\Administrator registry when it received a notification that no other applications or services were using the profile.
0
 
Hypercat (Deb)Commented:
Those two events are normal with a process like RTVScan especially when logging on with an Administrator account. Try logging on as a regular user and see if the error message still appears in the logs.
0
 
SrinathSAuthor Commented:
I login as regular user and it displays the above informational message followed by warning message. But as per the message description, I can safely ignore the warning message.

Followed by Information Event ID: 1516
Windows unloaded user TEST-DOMAIN\Administrator registry when it received a notification that no other applications or services were using the profile.

The log-in and log-off speed is increased! Thanks for your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.