0

I was today on clients site that has Windows 2008 SBS installed with Symantec EndPoint Protection. Problem is that after I logged in tried multiple commands like services.msc, msconfig typed in "Run" but nothing was started. For the first 5 minutes i can click around Start Menu, choose some applications (non microsoft works, even control panel works). But then something happens that I can't click where I want.. i can click on Start Menu and get it active but i cant choose anything from there, everything is like blocked, i can right click on Desktop i can do many things but most of the left clicks is blocked. Even when i start TaskMgr i am able to see it but I cannot click it, can't activate it or anything. It acts very very weird.

It's newly installed system, with less then a month of when it was installed and it wasn't really used (been down most of the time). I suspect Symantec EndPoint protection might be faulty so when I go back there (Wednesday) I will uninstall it but maybe someone else have some ideas what may be happening. I doubt there's any virus or anything, symantec was installed right after setting everything up and running.

EDIT: Just to add CPU is at 0-1% (2 CPU's), and it has 10GB ram which is hardly used. SBS was set up for 5 people and it isn't even working for a month.

EDIT2: I've arrived at client location, uninstalled Symantec etc and Windows was still freezing up. Finally i disabled some services and after many tries and errors found out that if i disabled all Exchange 2007 services it works without problems. Anyone have any suggestions? I am slowly doing updates to Windows and everythimg and finally i will update drivers etc and then enable exchange and try again but maybe someone has some idea what's up ? :-)

MadBoy
  • 3,725
  • 15
  • 63
  • 94

3 Answers3

1

Turns out the problem was with IPv6 and Exchange 2007 services being in constant state stopping/starting.

Issue was similar to IPv6 being disabled that was heavily commented on the internet with the only difference that IPv6 for my server was enabled (!) and it had some values filled in so it wasn't easy to spot on. Finally i decided to go and disable IPv6 doing it the proper way and it worked. Since my devices don't support IPv6 anyway I didn't needed it and it solved the problem for me.

Properly Disabling IPv6

SBS 2008 is designed to fully support IPv6 and has IPv6 enabled by default. Most users should never need to disable IPv6, however if you must disable IPv6 here is how to disable it properly:

Important: This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756

  1. Uncheck Internet Protocol Version 6 (TCP/IPv6) on your Network Card.
  2. In Registry Editor, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
  3. Double-click DisabledComponents to modify the DisabledComponents entry. Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps: 1. In the Edit menu, point to New, and then click DWORD (32-bit) Value. 2. Type DisabledComponents, and then press ENTER. 3. Double-click DisabledComponents.

  4. Enter "ffffffff" (eight f’s), and then click OK:

    image

  5. Reboot the SBS 2008 server.

RRAS (VPN) Note: If you plan to enable VPN on your SBS 2008 server, you MUST also Export and then Delete the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ipv6

If you do not delete this key you will get an 20103 Event when trying to start RRAS with IPv6 disabled. You must reboot after removing this key.

MadBoy
  • 3,725
  • 15
  • 63
  • 94
0

SBS includes SQL Server and Exchange, both of which can be very disk-intensive. I have seen Symantec Endpoint Protection cause massive performance problems on disk-intensive servers, even when proper exclusions are configured.

We had one quad-core call recording server that was riding at an average CPU usage of 80-100% during production hours. It went down to 30-50% after we replaced Symantec Endpoint Protection with a better antivirus product. We were surprised to find that the CPU usage decrease after removing SEP was about double the percentage of CPU time that SEP itself had been using. SEP itself had been using about 25% of the CPU time in Task Manager, but eliminating SEP reduced total CPU usage by 50%.

If you're not sure what to replace it with, I'll mention we've been testing ESET in our environment and we like it a lot. If you're licensing a large number of seats, you can get pretty amazing price concessions through the right vendors, on the order of 50% or less per seat than you're paying for SEP. Regardless, whatever you decide to use, you can't end up much worse off than you are with Symantec.

Edit:

OK, and that would make sense with only 5 users. So, the server is basically idling, but you're prevented from interacting normally with Windows Explorer and Task Manager. What happens when you boot in Safe Mode? If it's fine in Safe Mode, can you isolate the culprit using msconfig to selectively disable startup items? Could you try running an alternate/non-Symantec malware scan?

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
  • I forgot to mention CPU is at 0-1%, ram is at very low level usage – MadBoy Apr 23 '10 at 07:35
  • I didn't tested Safe Mode, i will uninstall Symantec and see what happens. If it won't work I'll try with safe mode and try msconfig. I would already do it but it's not working in normal mode. Thought someone might have had similar problem, but i guess i will have to find out on my own. – MadBoy Apr 24 '10 at 09:01
  • I disabled Exchange services and it's working fine now.. There's no virus or anything, i'm preety sure of that. – MadBoy Apr 28 '10 at 18:09
0

To add to Miles post. I'm running ESET NOD32 Business on SBS 2008. Keep in mind, even ESET doesn't recommend running version 4.2 on servers, they recommend their 3.x version which still works quite well and I don't have CPU utilization problems like SEP seems to have given Miles.

The one thing I'll mention is that ESET's Remote Administrator console is NOT intuitive by any means. It's quite featureful but it's far from an easy GUI you'd see with SEP or Trend Micro or even McAfee.

There is even a bundle you can buy from vendors right now (in seats of 25, afaik) where you buy the AntiVirus bundle (I didnt' buy the ESS product) and get a 'seat' of the Exchange Mail AV for 50% off (something like $7/seat). For my 25 seat license for both workstations and exchange mailboxes it was under $1000.

Mindflux
  • 120
  • 4
  • 12
  • In my opinion, the gold medal for near-uselessness in an AV console must be awarded to CA Threat Manager/Integrated Threat Management/eTrust/PestPatrol or whatever CA is calling it this month. – Skyhawk Apr 23 '10 at 12:52
  • Yeah, I didn't say CA's products were worth using, I just said ESET's RA may not be very intuitive. :) – Mindflux Apr 23 '10 at 13:55