• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA and Symantec Anti Virus - w3proxy.exe Problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Misc.] >> 3rd Party Add-ons >> ISA and Symantec Anti Virus - w3proxy.exe Problem Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
ISA and Symantec Anti Virus - w3proxy.exe Problem - 6.Oct.2003 9:24:00 PM   
ToddCarr001

 

Posts: 9
Joined: 6.Oct.2003
From: KS
Status: offline
I currently have two ISA servers in an array with the latest version of Symantec Anti Virus for ISA (4.03 of the SAVISA connector, 4.05 of SAVSE) installed and am having major issues with the w3proxy.exe proccess consuming the CPU until no traffic is allowed through. Trying to end task this process won't work so I have to bounce the servers and this takes care of the problem. Symantec support says that it is because I have to much traffic going through it and that I need additional scan engines (on additional servers) to load balance the scanning. I was also told by Symantec that they "haven't seen this before" when discussing the w3proxy.exe issue. This problem however ONLY occurs when SAV for ISA is enabled.

The two servers in the array by no means comes even close to 15% cpu usage during the heaviest traffic (when SAV for ISA is NOT enabled),during lunch time which is when the problem occurs. So I am not sold on his canned response of needing more scann engines.

More background info:
-followed Symantec's other config recommendations (don't scan URLCache folder since these are proxy servers as well)
-Only use ISA servers for web traffic, no SMTP traffic goes through
-SurfControl Web Filter is also installed on ISA servers

Any help would be appreciated.
Post #: 1
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 9.Oct.2003 11:35:00 AM   
dgj2003

 

Posts: 19
Joined: 3.Jun.2003
From: Cymru / Wales
Status: offline
Which version of SurfControl Web Filter are you using?
I had the CPU problem on a previous version of SurfControl (4.1 with no Service Packs I think)
Version 4.2 solved the CPU issue, while 4.5 (current version) is quite a bit better.

(Using Interscan as the HTTP/SMTP anti-virus on the same box)

(in reply to ToddCarr001)
Post #: 2
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 14.Oct.2003 5:13:00 PM   
ToddCarr001

 

Posts: 9
Joined: 6.Oct.2003
From: KS
Status: offline
Thanks for posting.

Version 4.2 is what we are currently using. I didn't know that 4.5 was out. I will have to look into that.

Thanks.

(in reply to ToddCarr001)
Post #: 3
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 15.Oct.2003 8:40:00 PM   
drlidbom

 

Posts: 9
Joined: 15.Oct.2003
Status: offline
Find out if your users are using any streaming media that is not excluded in the web filter scanning. That can cause the exact problem you indicated. Let me know if you talk to Symantec and find a good solution to this problem.

(in reply to ToddCarr001)
Post #: 4
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 21.Oct.2003 8:22:00 PM   
livinlucid

 

Posts: 8
Joined: 13.Mar.2003
From: Midwest
Status: offline
I am having the same problem with the Symantec Scan Engine and our ISA server. I was also told by Symantec support that they haven't seen this issue before and I have been working with them on this for over 3 months now with no resolution. If anyone does finally get a solution to this issue, please post it as I am tired of dealing with Symantec at this point.

(in reply to ToddCarr001)
Post #: 5
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 27.Oct.2003 5:24:00 PM   
ToddCarr001

 

Posts: 9
Joined: 6.Oct.2003
From: KS
Status: offline
I'm sure we do have streaming media being used.

The only streaming media file extensions I come up with to exclude are: .asf, .wmv, and wma

Any other ones I should try? I will add these to the list of what not to scan and see what happens.

Thanks

(in reply to ToddCarr001)
Post #: 6
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 28.Oct.2003 4:10:00 PM   
drlidbom

 

Posts: 9
Joined: 15.Oct.2003
Status: offline
Check out what I posted at:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=008772

I added .rad for Rhapsody, but I'm sure there are more...we only have a few users using streaming media.

Also, Symantec told me to investigate somehow moving my streaming media users to a different port than 80.

(in reply to ToddCarr001)
Post #: 7
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 29.Oct.2003 5:01:00 PM   
isatechie

 

Posts: 2
Joined: 29.Oct.2003
From: Chattanooga, TN
Status: offline
Todd,

I'm also running NAV for MS-ISA server on our ISA firewalls. We've experienced similiar problems with the W3Proxy.exe service consuming excessive amounts of CPU time.

I've gotten a partial workaround to where we don't have to reboot our servers- which is not acceptable in our environment during normal business hours. For the workaround, you'll need two W2K Server Resource kit-specific files, which are "tlist.exe" and "kill.exe"

After you install them and notice that you are having problems with the W3Proxy.exe, do the following:

Open a cmd prompt, and at C:>\ type "tlist" (without the quotations)- you will then see a list of all tasks running on your ISA server, along with the PID# (Process Identifier) for each. For example, a recent tlist look on my ISA Server showed PID# 1880 for W3Proxy.exe. Write down your PID# for the W3Proxy.exe as soon as tlist.exe retrieves it. You'll need this in a moment.

Now let's open another cmd prompt. At C:>\ type the following command (again, without quotations)
"net start w3proxy.exe" but DON'T hit the enter key just yet. Now, let's go back to the cmd prompt with the tlist readings. At the cmd prompt, such as C:\Winnt please type the following command "kill -f 1880" and then hit the enter key. This will kill the W3Proxy.exe within the blink of an eye. The key here is to typing in the correct PID# in the cmd line arguement. 1880 is a variable, in this example.

Next, let's go back to your other cmd prompt, where you typed "net start W3proxy.exe" and now hit the Enter key. This will restart the W3Proxy.exe service.

I am currently working on a script that will monitor the W3proxy.exe service, and if it begins consuming excessive CPU cycles, the script will fire off, get the %PID%, kill the W3Proxy service, pause for a few seconds, and then restart the W3Proxy.exe service. As soon as I get the script to where it will work, I'll be happy to share it with everyone at ISA.org. Good luck.

Jeff Leamon, MCSE, MCP+I

(in reply to ToddCarr001)
Post #: 8
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 29.Oct.2003 10:01:00 PM   
mfisher123

 

Posts: 4
Joined: 29.Oct.2003
From: Pensacola, FL
Status: offline
I'm in the same situation. ISA SP1-FP1 on W2k SP4, SurfControl 4.2, and SAVISA 4.0.5.47. Wc3proxy.exe racing to 100% CPU. Applied MS patch isah257.exe per MKBA - 331066 no change.

(in reply to ToddCarr001)
Post #: 9
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 3.Nov.2003 6:41:00 PM   
ToddCarr001

 

Posts: 9
Joined: 6.Oct.2003
From: KS
Status: offline
Thanks DrLidbom. At least with my installation I have added the three extensions (.asf, .wmv, and .wma) and w3proxy.exe hasn't cosumed 100% CPU for several days now. Before it was within a couple of hours of enabling SAV for ISA that 100% was reached. I am also our anti-virus guy and don't recall hearing of any of these extensions, yet, possibly being used as a carrier to a virus(worm, trojan). Regardless those extensions will be scanned at the desktop.

Now though there is a new wrinkle to this. Since we have finally gotten this to work we've noticed that SurfControl, while both are enabled, is not functioning correctly. What I thought was a Symantec error message, in Event Viewer/Application, related to the w3proxy.exe issue turns out to be related to SurfControl.

Scenario: Both SurfControl and SAV for ISA are enabled within the ISA array, it doesn't matter which priority (order)they are set at. Using an account that is not allowed to go to several SurfControl Categories, an attempt is made to go a blocked site, example www.edonkey.com (category Remote Proxy). The blocked page comes up but underneath the page is an ISA error message:

HTTP/1.1 502 Proxy Error ( An Internet Server API (ISAPI) filter has finished handling the request. Contact your system administrator. ) Via:1.1 [ServerName] Connection: close Proxy-Connection: close Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 2358

Along with this there is a Symantec error message in Event Viewer:

Event Type:Error Event Source:Symantec Web AV Filter Event Category:None Event ID:103
Date:11/3/2003 Time:11:37:31 AM
User:N/A Computer:[ServerName]
Description:
An internal/unexpected error has occurred for the Symantec AntiVirus for ISA Server Web filter. Error Identifier(s): CSymCSSWebFilterContext::WriteClient - Failed

Also, an automated email of a blocked page isn't sent to a designated account AND most importantly the "HIT" is not recorded in SurfControl. Note: It is only not recorded when someone attempts to go to a blocked page. All other web traffic is recorded in SurfControl.

I have not related this to my Symantec TAM yet or contacted SurfControl yet to see if they have seen this. Thought I would start here since.
Thanks-Todd

(in reply to ToddCarr001)
Post #: 10
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 4.Nov.2003 7:55:00 PM   
mfisher123

 

Posts: 4
Joined: 29.Oct.2003
From: Pensacola, FL
Status: offline
This is what I've have done to restore CPU utilization down to normal levels: Within the Scan Engine > Configuration > Resources changed; Available threads to 200, Threashold # queued requests to 50, and Max RAM in-memory file system to 512 megs. Ensure that your page file is at least 1.5x as large as the amount of physical RAM and optimized for background processes. Ensure that you have at least one domain controller in the same VLAN as your ISA server to facilitate authentication (gig backplane with gig NICs) seems to work best. Within the ISA MMC > Extensions > Web Filters > Web Av filter utilize the default "Do not scan these MIME types:" setting.

(in reply to ToddCarr001)
Post #: 11
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 5.Nov.2003 10:24:00 PM   
drlidbom

 

Posts: 9
Joined: 15.Oct.2003
Status: offline
Gamb0aFrog,

Have you confirmed that what you did will even fix this problem for those of us who are having problems due to users streaming media that we cannot identify?

(in reply to ToddCarr001)
Post #: 12
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 6.Nov.2003 7:02:00 PM   
mfisher123

 

Posts: 4
Joined: 29.Oct.2003
From: Pensacola, FL
Status: offline
DrLidbom
Negative. Scanning of UDP streams is a problem and documneted by Symantec. SurfControl provides you the ability to kill streaming media by type. As streaming media can quickly consume all available bandwidth, I restrict it coming into my network to a limited few.

(in reply to ToddCarr001)
Post #: 13
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 14.Nov.2003 10:33:00 PM   
ToddCarr001

 

Posts: 9
Joined: 6.Oct.2003
From: KS
Status: offline
Just wanted to give an update with problem using Symantec for ISA and SurfControl. A SurfControl tech was able to reproduce the problem and has sent it to their development team who has contacted Symantec and MS. When this is finally resolved I will post the resolution.

(in reply to ToddCarr001)
Post #: 14
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 15.Nov.2003 4:03:00 AM   
HDClown

 

Posts: 55
Joined: 24.Sep.2003
Status: offline
I wanted to try out Symantec for ISA but read this thread and there seemed to be a lot of problems, however, I noticed all the problems seemed to be related to the combo of SurfControl and Symantec for ISA.

Has anyone run Symantec for ISA ONLY and had good results?

(in reply to ToddCarr001)
Post #: 15
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 17.Nov.2003 8:32:00 PM   
drlidbom

 

Posts: 9
Joined: 15.Oct.2003
Status: offline
I am running SAV only. No SurfControl. SAV works great, until your users start to stream media that is not in the exceptions lists. When your users try to do that, you're going to lose port 80 (HTTP) traffic until the web proxy service is restarted. We've had to disable the scanner for right now. It is extremely frustrating. Anyone have any more clues on this?

(in reply to ToddCarr001)
Post #: 16
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 3.Dec.2003 1:04:00 PM   
mfisher123

 

Posts: 4
Joined: 29.Oct.2003
From: Pensacola, FL
Status: offline
Here is a small cmd line app that will lock CPU utilization to whatever percent you desire.
Goto http://threadmaster.tripod.com
It's free - may be helpful in stopping w3cproxy service racing to consume 100% cpu.

(in reply to ToddCarr001)
Post #: 17
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 26.Feb.2004 10:31:00 PM   
ToddCarr001

 

Posts: 9
Joined: 6.Oct.2003
From: KS
Status: offline
I wanted to updat this string since I said I would. We have been testing the latest version of SAV for MS ISA (4.07) in our test lab and it appears that Symantec has fixed the problem. No longer do the two filters, SufControl and Symantec, conflict with each other when SurfControl blocks a page and Symantec tries to scan it. One thing that was changed in this version is that SAV for MS ISA is set to priority 2/medium. ---

(in reply to ToddCarr001)
Post #: 18
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 16.Apr.2004 3:49:00 PM   
oleary

 

Posts: 29
Joined: 24.Mar.2001
From: USA
Status: offline
I have the same problem with the w3proxy service, but i'm running Windows 2003, all hotfixes for Windows and ISA with Burst filtering software and Symantec antivirus for ISA, and the latest build of SAV corporate edition. I am also on the latest build of SAV for ISA (4.3.1.20) So far (in working with Symantec) we have excluded the SAV for ISA directories from the Corporate edition scanning, disabled the Corporate scanning completely, updated builds numerous times, etc, etc. This morning I just set SAV for ISA to only scan exe.s, bat's, etc. We'll see if that does the trick. If not, the software is up for renewal in May, and I'll go with GFI or someone else.

(in reply to ToddCarr001)
Post #: 19
RE: ISA and Symantec Anti Virus - w3proxy.exe Problem - 19.Apr.2004 2:28:00 PM   
oleary

 

Posts: 29
Joined: 24.Mar.2001
From: USA
Status: offline
No dice, w3proxy still using all the CPU. tonight I'm removing it, and installing GFI Download security.

(in reply to ToddCarr001)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Misc.] >> 3rd Party Add-ons >> ISA and Symantec Anti Virus - w3proxy.exe Problem Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts