Slowdown With On-Execution Scans

Userlevel 3
Hi all.
Unfortunately WRSA is causing some annoying slowdowns for me on two different computers at home.  I've posted about the issue on the Wilders Forum (hello any fellow WilderBeasts!) and also have a support ticket open.  Angela from the Sydney office has reproduced the issue, but as it seems to be a rare problem a fix has been a long time coming.  I'm hoping to see if anyone here has experienced the same problem, as I'm feeling "special" in a bad kind of way :(
Firstly, the issue only occurs if one user logs off and another user subsequently logs on.  There are no problems when the computers are first switched on.  Secondly, the issue is fixed if WRSA is shut down and then restarted.  The problem will then only re-appear following another logoff/logon event.
Whenever a new or updated program is run, WRSA performs an on-execution scan of any files (exes, dlls etc.) which are loaded.  If no logoff/logon has occurred the scan happens at WRSA's normal speed and no slowdown is experienced.  However, if a new or updated program is run following a logoff/logon it can sometimes take as long as 5 minutes for WRSA to complete it's on-execution scans and the program is finally permitted to load.
By observing the "Authenticating Files Pop-Up Screen" it can be seen that there is a delay of anywhere from 10-30 seconds occurring before each loaded file is scanned.  The scan itself is quick - it is the delay before each scan commences that causes the problem.  For example, if 10 files are scanned it can take 10 x 30 = 300 seconds before the loaded program becomes reponsive.  There is no CPU or Disk usage occuring - WRSA is just waiting between scans.
Both are modern computers running Windows 7 (one 64-bit the other 32-bit) and there are no other security programs running.  Apart from this problem WRSA runs well and the Support Staff have been great, I just wish I could find more users with the same problem so it can get fixed!

Best answer by MikeR 10 October 2012, 17:53

View original

10 replies

Userlevel 7
I'm getting in touch with Angela to see where this stands with development's role in this case, and I'll let you know as soon as I find out.
In taking a quick glance at the case however, I'm noticing at least one thing that is different on your system than most people's that may be a contributing factor.  You have your heuristics cranked up higher than the default settings.  Inevitably, this will result in more analysis of files and potentially more sandboxing actions.  Keep in mind, sandboxing is running the program itself in a virtualized environment to see what happens before it's allowed to run normally in a real environment.  Necessarily, this is going to be a bit slower than not sandboxing the apps.
I realize the data I'm looking at in the ticket is quite old, but assuming you haven't changed the heuristics, I'd try setting Local back to Medium, Low, Low instead of the High, Medium, Medium where it's currently* at.  Please let us know if that helps or not.  🙂
Userlevel 7
Badge +56
Hello zorak nice to see another familer name from Wilders and Welcome to the Webroot Community Forums!  ;)
Userlevel 3
Thanks JimM for your interest!
With regard to heuristics settings, the problem occurs no matter where they are set.  Most testing for this issue was done with all settings at their defaults.  Please note, no programs are actually being monitored or in sandbox mode.  The behaviour even occurs with built-in windows components eg. Control Panel items, Windows Media Player etc.
Process Monitor traces were provided to Support which seemed to indicate that WRSA was just waiting 10-30 seconds before commencing the scan of each individual file before it was loaded.  The fact it only occurs after a logoff/logon event, and is cured by a shutdown/restart of WRSA, would indicate there is some weird interaction happening between WRSA and the OS during the logoff/logon process.  If I knew how, I could probably just create a script that automatically shutdown and then restarted WRSA at every logon and the problem would be solved!
PS.  please don't "harass" Angela too much, she has been very good to me! 😉
Userlevel 3
Thanks Trip for the welcome! 😃
Userlevel 5
Welcome from me also. I hope Webroot find the cause of your issue with reference to logging on and off. There is probably a shutdown script on the 'net somewhere, but I'd stay clear, just in case.
Userlevel 3
Thanks TonyW for the welcome.  If I reply to all the welcomes then at least I will get my post count up - ha ha!
I agree - a shutdown script from the net would not be a good idea!  I would probably run into UAC problems anyway as we all logon here as standard users.  And before anyone suggests it - the problem also occurs in the admin account 😉
Userlevel 7
I got in touch with Angela regarding the ticket you had open, and it appears she escalated the case to our lead developer.  At the moment, he's still investigating.  I'll keep an eye on the case and update the status of the issue here when it seems like there has been some progress.
Userlevel 3
Thanks a lot JimM - I appreciate it.  As I advised Angela, I'm available for another remote session and willing to help troubleshoot the issue in any way I can.  If it helps me, it will help others as well (unless there really are no others with the same problem!!!).
Userlevel 3
I'm updating this thread as the problem I was having seems to have been at least partially solved!
After running version for a couple of weeks now on both PCs I've found that on-execution scans are now being processed much faster.  Any delays are now measured in seconds rather than minutes - except when the "Show Authenticating Files Pop-up" is selected.  When this feature is turned on the same old behaviour occurs.  This is not a major problem however, as I only really use this function to monitor the slowdowns.  If the slowdowns are no longer occurring then I can happily live with this setting disabled!
I am fairly certain I had tried disabling this setting in the past with no luck, so the new version seems to have improved things considerably.  Thanks to Webroot Support and the Development Team 😃
Userlevel 7
That is good news zorak. ;)
The setting you are referring to is not applied when using the recommended default settings. I am glad there are no performance issues with it turned off!