Antivirus Software Symantec v12.x Interferes with Data Acquisition with Analyst® Software

日付: 09/18/2017
カテゴリー: Analyst Software

0 投票
   印刷する    記事を評価する:
For research use only. Not for use in diagnostic procedures​.

Issue Description 

The Analyst® software crashes or freezes when real time scanning or archiving is enable in the antivirus software.


The issues with Analyst software stemming from use of the antivirus Symantec version 12 were resolved by employing either of the two following tactics:

1) Disabling the Proactive Threat Protection portion of the Symantec software.

2) Setting the normal exclusions as detailed in Release Notes: the folders used by Analyst, typically D:\Analyst Data and C:\Program Files\Analyst should be excluded from any scanning by the application. Some applications also need to have exclusions set for the processes in use: analyst.exe and analystservice.exe. On top of the exclusions in the Release Notes the following folders should be excluded C:\AnalystSD, C:\Program Files\AB SCIEX, and C:\Program Files\National Instruments

Guidance for Antivirus and Backup Software (from Analyst Software Release Notes)

While it is a widely acknowledged good practice to employ antivirus and backup software, these applications may interfere with the real-time nature of the Analyst software. Some antivirus and backup applications are configured by default to automatically scan and archive a file immediately after creation. Because the Analyst software can perform multiple writes to a single data file during an acquisition sequence, it is important to disable these real-time features to prevent the antivirus or backup software from locking the data file while it is still needed by the Analyst software application. Many widely-used applications can be configured to either disable real-time protection, or ignore certain file-types (for example, .rdb, .wiff and .wiff.scan files). Failure to do so may result in either failed acquisitions or acquisitions that take longer to complete than expected. In general, the antivirus or backup software on the Analyst software acquisition workstations should be configured in a manner that will disable real-time scanning and archiving of files in the Analyst Data folder. For example, when configuring the Symantec Endpoint software, the following settings have been found to increase performance during data acquisition:
  • Antivirus and Antispyware Protection > File System Auto-Protect > File Types: Choose “Selected” and then make sure that the Extensions list does not contain .wiff, .wiff.scan, or .rdb file extensions.
  • Antivirus and Antispyware Protection > File System Auto-Protect > File Types >Advanced> Scan files when: Scan when a file is modified.
For instructions on how to best configure your particular antivirus or backup software, contact your antivirus or backup software provider.