Symantec v10.0 Real-time Scan Performance

Engineers beware….enabling Symantec network scanning features of real-time protection will slow the network to a crawl. Symantec actually recommends turning off network scanning on Symantec v10.0 and below because of the severe performance impact it causes. In v10.1 and above, Symantec supposedly “improved” the network scanning functionality as well as introduced the ability to trust a server that was running real-time protection to prevent double scanning of a file. Unfortunately, the network scanning features don’t seemed to be improved in any way and the trust stuff looks to be all fluff. Additionally, after troubleshooting and testing it looks like when Symantec is configured to do network scans, instead of scanning the files on the client side as they traverse through the network stack, Symantec actually opens up literally hundreds of file handles to the files remotely and attempts to scan the on the share remotely on the share. This behavior has been verified to be the cause of several network performance issues at one of our customers lately.

Networking Symantec