Trend have passed the following information for me to inform the community about this issue. In short – there are 4 similar issues – some of which are resolved by existing hot fixes that have been available for some time – others using new hot fixes. In addition Trend will release on December 15, a roll up of a number of hot fixes specifically for CSM 3.5/3.6.
Please review it as there are multiple solutions dependant on the issue you see specifically.
If you find that you try these solutions and they do not resolve the issues you are seeing, please ensure you contact your local Trend Support line and lodge the case with them citing the specific patches that you have installed already.
I’d like to thank Trend for working with us in the community to get to a resolution on this quickly. Thanks also to those of you who emailed me your case numbers – this helped them more quickly identify a number of seeming unrelated cases.
Problems
1. Machine boots up slowly with heavy disk IO
2. Computer performance is slow during start up and DCE (tsc.exe) keeps running for a long time after start up
3. High memory utilization
4. Overuse of kernel memory prevents the system drivers and applications from working properly
Phenomenon, Root cause, Solutions, and References of the Problems
1. Machine boots up slowly with heavy disk IO
Phenomenon: Heavy disk IO causes the machine to boot slowly. Using a performance monitor to observe the CSA process (pccntmon.exe), the IO graph peaks continuously.
Fig. 1: Performance of the CSA process using a performance monitor
Root Cause: A CSA function needs to traverse the CSA folder. If the login user profile setting (My Documents path) is on a remote machine, this problem arises.
Solution: CSM 3.6 hotfix 1142 (already released). Customers may either get the hotfix through tech-support, or wait for CSM 3.5/3.6 2007 Q4 patch that include this hotfix (available December 15). Customers may download the patch from the following URL:
Client Server Messaging Security:
http://www.trendmicro.com/download/product.asp?productid=39
Client Server Security: http://www.trendmicro.com/download/product.asp?productid=40
Reference: Refer to the following Solution Bank entry: http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034528&id=EN-1034528
2. System performance drop down and become slow during start up. DCE (TSC.exe) keeps running for a long time after start up. Ntrtscan.exe s CPU utilization is high.
Phenomenon: Slow start up and tsc.exe is running for extended periods.
Root Cause: When CSA starts, by default, TSC.exe scans for Trojans. Typically, it takes about 10 seconds to complete the scan. However, in a few environments TSC.exe needs much longer times to scan; up to 10 minutes to complete the scan.
Solution: CSM 3.6 hotfix 1159 (already released).
Customers may either get the hot fix through tech-support then follow the hotfix instruction to apply it, or wait for the CSM 3.5/3.6 2007 Q4 patch that includes this hot fix (available December 15). Customers may download the patch from the following URL:
Client Server Messaging Security: http://www.trendmicro.com/download/product.asp?productid=39
Client Server Security: http://www.trendmicro.com/download/product.asp?productid=40
3. High memory utilization
Phenomenon: The memory utilization of CSA increased rapidly after October 2007.
Root Cause: Many new samples have been added to the virus/spyware pattern (signature file) causing its size to increase drastically.
Solution: Trend Micro has optimized the pattern file and released the downsized spyware pattern (5.75) on 11/28/2007. The new pattern reduces at least 15~20 MB memory.
Trend Micro continuously strives to optimize the size of the patterns files.
4. Overuse of kernel memory prevents the system drivers and applications from working properly
Phenomenon: CSA s system resource (kernel mode memory) usage is very high and prevents other applications and/or system drivers from working properly.
Root Cause: Scan Engine 8.55 (released on 10/31/2007) disabled the SystemMapView option, to fix a conflict with Express Mail Server. Disabling the option increased kernel memory utilization by 18~20MB. The growing virus pattern (LPT$VPN.*) also uses kernel memory.
Solution: Enable the SystemMapView option and set the PagePoolSize option to the maximum value.
Customers can contact technical support and ask for the hotfix and a server-side tool that can automate this process for all clients.
Note: These settings are retained during upgrades.
Andy Haigh says
Hi Wayne,
It seems patch 1159 was never released as an English version. Trend support are telling me to use patches 1154 and 1158 to fix the problems!!
Mental Alertness says
Hi I am so grateful I found your blog page, I really
found you by accident, while I was researching on Google for something else, Nonetheless I am here
now and would just like to say thanks for a incredible post and
a all round exciting blog (I also love the theme/design), I don’t have time to read through it all at
the moment but I have bookmarked it and also included your RSS feeds, so when I
have time I will be back to read a great deal more, Please do keep up the excellent job.