Antivirus on demand scan performance

Version 9

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    Applies to LANDESK Management Suite 9.6 and above.

     

    This article is intended to give recommendations, suggestions and explanations on how we can influence the performance of the antivirus on-demand scan.

     

    Exclusions

     

    The first step will be to add accurate exclusions (exceptions). An antivirus scanning exclusion is an instruction created by the user or administrator telling the real-time scanner and/or the manual scanner not to scan certain folders, file types and/or files. Often the word "Exception" and "Exclusion" are both used when describing this.

     

    Here is a tutorial about adding exclusions: http://community.landesk.com/support/docs/DOC-6662

    Here is a tutorial about exclusions on a LANDESK Core server: http://community.landesk.com/support/docs/DOC-6920

     

     

    Scan only new and changed files

     

    Kaspersky Anti-Virus features an algorithm allowing to improve its performance by estimating file threat level on the basis of its last modification date. File last modification date is compared against its first scan date, creation date, and antivirus databases release date. It considers scanning performed by any Kaspersky Anti-Virus task, Real-time protection or an on-demand-scan task.

    This settings can be accessed on the Core Server : Agent Settings > Security > LANDESK Antivirus and on the client itself as well.

     

    av1.PNG

     

    In order to know if this settings is enable on the client, we will have to check inside the trace logs.

     

    iSwift and iChecker

     

    iChecker and iSwift are special technologies that allow speeding up work of protection components of Kaspersky Endpoint Security with files located on the computer.

    • iChecker calculates and remembers checksums of scanned files. A checksum is a digital signature of an object (file) which allows identifying its authenticity.
    • iSwift technology is a modification of the iChecker technology but for NTFS file systems.

     

    av2.PNG

     

     

    If you would like to check if these settings are applied to the client machine, there few registry keys to look after.

    You should look at the keys UseIChecker and UseIStreams at this branch (the path is checked for 32-bit Windows):

    • HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\KES10\profiles\Protection\profiles\File_Monitoring\settings

     

    In case of scan tasks settings, please see the keys in corresponding branches. The examples are for Startup Scan and Full Scan tasks (on 32-bit Windows):

    • HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\KES10\profiles\Scan_My_Computer\settings
    • HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\KES10\profiles\Scan_Startup\settings

     

    Please note that the keys’ values are changed on exit from KES.

    For more information related to these technologies you can refer to this Kaspersky article : http://support.kaspersky.com/7407

     

     

    Scan archives

     

    The last configuration would be to not scan archives, especially if they are already scanned by the Real-Time scanner. If there are a large amount of archives, the time consumed by the on-demand scan will increase dramatically. The engine has to decompress the archive, scan it and recompress it, which will be time consuming.

     

    av3.PNG

     

     

    Logs and traces

     

    If you feel that your on-demand scan is not performing as you would like after implementing the above recommendations/suggestions, you can open a case with the support.

    In order to further troubleshoot performance issues, the support will need logs, traces and a GetSystem Info report as detailed in the following article:

    http://community.landesk.com/support/docs/DOC-27009