I currently have two ISA servers in an array with the latest version of Symantec Anti Virus for ISA (4.03 of the SAVISA connector, 4.05 of SAVSE) installed and am having major issues with the w3proxy.exe proccess consuming the CPU until no traffic is allowed through. Trying to end task this process won't work so I have to bounce the servers and this takes care of the problem. Symantec support says that it is because I have to much traffic going through it and that I need additional scan engines (on additional servers) to load balance the scanning. I was also told by Symantec that they "haven't seen this before" when discussing the w3proxy.exe issue. This problem however ONLY occurs when SAV for ISA is enabled.
The two servers in the array by no means comes even close to 15% cpu usage during the heaviest traffic (when SAV for ISA is NOT enabled),during lunch time which is when the problem occurs. So I am not sold on his canned response of needing more scann engines.
More background info: -followed Symantec's other config recommendations (don't scan URLCache folder since these are proxy servers as well) -Only use ISA servers for web traffic, no SMTP traffic goes through -SurfControl Web Filter is also installed on ISA servers
From: Cymru / Wales
Which version of SurfControl Web Filter are you using? I had the CPU problem on a previous version of SurfControl (4.1 with no Service Packs I think) Version 4.2 solved the CPU issue, while 4.5 (current version) is quite a bit better.
(Using Interscan as the HTTP/SMTP anti-virus on the same box)
Find out if your users are using any streaming media that is not excluded in the web filter scanning. That can cause the exact problem you indicated. Let me know if you talk to Symantec and find a good solution to this problem.
I am having the same problem with the Symantec Scan Engine and our ISA server. I was also told by Symantec support that they haven't seen this issue before and I have been working with them on this for over 3 months now with no resolution. If anyone does finally get a solution to this issue, please post it as I am tired of dealing with Symantec at this point.
I'm also running NAV for MS-ISA server on our ISA firewalls. We've experienced similiar problems with the W3Proxy.exe service consuming excessive amounts of CPU time.
I've gotten a partial workaround to where we don't have to reboot our servers- which is not acceptable in our environment during normal business hours. For the workaround, you'll need two W2K Server Resource kit-specific files, which are "tlist.exe" and "kill.exe"
After you install them and notice that you are having problems with the W3Proxy.exe, do the following:
Open a cmd prompt, and at C:>\ type "tlist" (without the quotations)- you will then see a list of all tasks running on your ISA server, along with the PID# (Process Identifier) for each. For example, a recent tlist look on my ISA Server showed PID# 1880 for W3Proxy.exe. Write down your PID# for the W3Proxy.exe as soon as tlist.exe retrieves it. You'll need this in a moment.
Now let's open another cmd prompt. At C:>\ type the following command (again, without quotations) "net start w3proxy.exe" but DON'T hit the enter key just yet. Now, let's go back to the cmd prompt with the tlist readings. At the cmd prompt, such as C:\Winnt please type the following command "kill -f 1880" and then hit the enter key. This will kill the W3Proxy.exe within the blink of an eye. The key here is to typing in the correct PID# in the cmd line arguement. 1880 is a variable, in this example.
Next, let's go back to your other cmd prompt, where you typed "net start W3proxy.exe" and now hit the Enter key. This will restart the W3Proxy.exe service.
I am currently working on a script that will monitor the W3proxy.exe service, and if it begins consuming excessive CPU cycles, the script will fire off, get the %PID%, kill the W3Proxy service, pause for a few seconds, and then restart the W3Proxy.exe service. As soon as I get the script to where it will work, I'll be happy to share it with everyone at ISA.org. Good luck.
Thanks DrLidbom. At least with my installation I have added the three extensions (.asf, .wmv, and .wma) and w3proxy.exe hasn't cosumed 100% CPU for several days now. Before it was within a couple of hours of enabling SAV for ISA that 100% was reached. I am also our anti-virus guy and don't recall hearing of any of these extensions, yet, possibly being used as a carrier to a virus(worm, trojan). Regardless those extensions will be scanned at the desktop.
Now though there is a new wrinkle to this. Since we have finally gotten this to work we've noticed that SurfControl, while both are enabled, is not functioning correctly. What I thought was a Symantec error message, in Event Viewer/Application, related to the w3proxy.exe issue turns out to be related to SurfControl.
Scenario: Both SurfControl and SAV for ISA are enabled within the ISA array, it doesn't matter which priority (order)they are set at. Using an account that is not allowed to go to several SurfControl Categories, an attempt is made to go a blocked site, example www.edonkey.com (category Remote Proxy). The blocked page comes up but underneath the page is an ISA error message:
HTTP/1.1 502 Proxy Error ( An Internet Server API (ISAPI) filter has finished handling the request. Contact your system administrator. ) Via:1.1 [ServerName] Connection: close Proxy-Connection: close Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 2358
Along with this there is a Symantec error message in Event Viewer:
Event Type:Error Event Source:Symantec Web AV Filter Event Category:None Event ID:103 Date:11/3/2003 Time:11:37:31 AM User:N/A Computer:[ServerName] Description: An internal/unexpected error has occurred for the Symantec AntiVirus for ISA Server Web filter. Error Identifier(s): CSymCSSWebFilterContext::WriteClient - Failed
Also, an automated email of a blocked page isn't sent to a designated account AND most importantly the "HIT" is not recorded in SurfControl. Note: It is only not recorded when someone attempts to go to a blocked page. All other web traffic is recorded in SurfControl.
I have not related this to my Symantec TAM yet or contacted SurfControl yet to see if they have seen this. Thought I would start here since. Thanks-Todd
This is what I've have done to restore CPU utilization down to normal levels: Within the Scan Engine > Configuration > Resources changed; Available threads to 200, Threashold # queued requests to 50, and Max RAM in-memory file system to 512 megs. Ensure that your page file is at least 1.5x as large as the amount of physical RAM and optimized for background processes. Ensure that you have at least one domain controller in the same VLAN as your ISA server to facilitate authentication (gig backplane with gig NICs) seems to work best. Within the ISA MMC > Extensions > Web Filters > Web Av filter utilize the default "Do not scan these MIME types:" setting.
DrLidbom Negative. Scanning of UDP streams is a problem and documneted by Symantec. SurfControl provides you the ability to kill streaming media by type. As streaming media can quickly consume all available bandwidth, I restrict it coming into my network to a limited few.
Just wanted to give an update with problem using Symantec for ISA and SurfControl. A SurfControl tech was able to reproduce the problem and has sent it to their development team who has contacted Symantec and MS. When this is finally resolved I will post the resolution.
I wanted to try out Symantec for ISA but read this thread and there seemed to be a lot of problems, however, I noticed all the problems seemed to be related to the combo of SurfControl and Symantec for ISA.
Has anyone run Symantec for ISA ONLY and had good results?
I am running SAV only. No SurfControl. SAV works great, until your users start to stream media that is not in the exceptions lists. When your users try to do that, you're going to lose port 80 (HTTP) traffic until the web proxy service is restarted. We've had to disable the scanner for right now. It is extremely frustrating. Anyone have any more clues on this?
Here is a small cmd line app that will lock CPU utilization to whatever percent you desire. Goto http://threadmaster.tripod.com It's free - may be helpful in stopping w3cproxy service racing to consume 100% cpu.
I wanted to updat this string since I said I would. We have been testing the latest version of SAV for MS ISA (4.07) in our test lab and it appears that Symantec has fixed the problem. No longer do the two filters, SufControl and Symantec, conflict with each other when SurfControl blocks a page and Symantec tries to scan it. One thing that was changed in this version is that SAV for MS ISA is set to priority 2/medium. ---
I have the same problem with the w3proxy service, but i'm running Windows 2003, all hotfixes for Windows and ISA with Burst filtering software and Symantec antivirus for ISA, and the latest build of SAV corporate edition. I am also on the latest build of SAV for ISA (220.127.116.11) So far (in working with Symantec) we have excluded the SAV for ISA directories from the Corporate edition scanning, disabled the Corporate scanning completely, updated builds numerous times, etc, etc. This morning I just set SAV for ISA to only scan exe.s, bat's, etc. We'll see if that does the trick. If not, the software is up for renewal in May, and I'll go with GFI or someone else.