NIS 2009 does not correctly track System Usage versus Norton Usage

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

I am using NIS 2009, retail (build 125)

Also, NSW 2008 basic edition

 

I know that svchost is MS and ccsvchst is Norton.  But what I saw was a huge increase in svchost activity during the update process.  And (much more to the point):

    a.  this activity ceased the moment I shut off Auto AV; and

    b.  increased again the moment I turned Auto AV back on.

 

Look at the four bottom screenshots of the TaskManager.

   The first two are with Auto AV on.

   The third one is with Auto AV off.

   The fourth one is with Auto AV back on.

 

The second, third and fourth screenshots were all within the same two minute period; and the only possible explanation for the drop and increase in svchost activity must be the only change that occurred at the same time: the manual shutting off then turning back on of Auto AV.

 

 

So what I am trying to say, is that somehow the Auto AV behavior of NIS is invoking a large amount of svchost behavior by MS software.

 

I hope this clarifies things.

 

However, since that time I have seen no similar behavior; so perhaps it is only related to MS Update or else it is related to Norton Insight thinking it had found an idle time within which to work.  Or something else.  I will let you know what I learn if and when I see this behavior again.

Yesterday, I ran MS Update and noticed that the scan for updates was taking substantially longer than expected.  The same thing happened with the downloads, so I opened NIS 2009 and checked the usage graphs and opened the Task Manager to check actual usage there.

 

Here is what I found out.  svsHost was running extremely high, but the usage graphs said otherwise.

 

Here is the actual Task Manager report during the update download:

 

 

Notice the high figure for svshost (over 10% of all availabe RAM).  Actually the figure varied up and down -- I just didn't get a quick enough click to show how much higher it went.

 

 

The next screenshot shows activity during the installation process which lasted about four times as long as it ususally does:

 

 

The install wouldn't get past the initialize stage for so long (at least 15 to 20 minutes), I decided to intervene.  I turned off Automatic AV and immediately things sped up.  Initialization was concluded within seconds and the installation went faster than it had even with NIS 2008.  The following screenshot with Auto AV off shows the NIS report juxtaposed with the simultaneous TM report shows why the installation sped up:

 

 

 

 

After installation, I turned Auto AV back on.  Immediately Norton began taking over the Ram.  The following screenshot shows what NIS2009 "thinks" is happening compared with what the TaskManager shows is actually happening.  Notice that NIS2009 shows 0% Norton usage while the TM report says something entirely different.

 

 

The problem is that a Microsoft or Windows Update involves numerous file checks.  Every file is examined gets checked also by Norton Auto AV.  That means, when Microsoft looks at a file and checks the date, Norton looks at the file and checks the signature for malware -- a much lengthier procedure.  Likewise, when Microsoft begins installing, every file it deletes, moves, renames, examines, or writes over, and every log entry it makes regarding this activity, triggers a Norton signature check.  Moreover (I am purely guessing here, but it is an educated guess), it seems that NIS 2009 mistakes this time as Idle Time, perhaps because the user isn't doing much, and is trying to run processes of its own.  Whatever is going on, it is using up all the resources right at the point that they need to be available.

 

Perhaps many of the files Norton checks will be given a clean bill of health for the future and Norton won't be so intrusive during an update.  Unfortunately, I won't actually know the answer to that question for another month.

 

Addendum:

I am still tired from an eight hour installation bout with NIS 2009, so I need to clarify what I am saying.  (sheesh, I'm exhausted)  Anyway, I know that svcHost is not the same as ccsvchst, but what I am seeing shows svcHost immediately lessening substantially the moment I shut off Auto AV.  So, somehow, when Norton is active, it causes substantial activity to occur that invokes svcHost.

 

Message Edited by mijcar on 09-10-2008 09:25 AM

Hi mijcar, sorry for you troubles with Windows Update.

 

I did notice that that you later made a correction to your post.

But, first I'd like to point out that "svchost.exe" is a Microsoft application, not a Symantec application.

"svchost.exe" is a generic container process that is used to host multiple Microsoft services.

 

The Microsoft "svchost.exe" is not to be confused with the Norton "ccsvchst.exe" process.

This explains why the NIS 2009 CPU graph did not count the Microsoft CPU usage as Norton CPU usage. 

 

 

I cannot explain why the Microsoft "svchost.exe" process was using so much CPU time or so much memory.

What you may try to do is to install SysInternals (now Microsoft) Process Explorer, and investigate further.

Process Explorer will tell you what services are running in that process space, a simple way to see this is to just hover the mouse over the process, and the tooltip will show what services are running.

 

Please let us know what you find, and also if you are now running NIS 2008 or NIS 2009 (retail), and from your processes it looks like you are also running NSW, what version?

 

You may also be interested on our detailed post on how the CPU meter works.

 

Pieter