none
Malicious Software Remove Tool clogs network and clients

    Question

  • I have a network using Small Business Seerver 2011, and the client computers are predominately Windows 7.  I finally discovered why my network and the machines slow down to a craw every once in a while.

    It appears that MRT scans files residing on other machines (offline files).  It looks like MRT scans any file that is already offline (i.e., in the CSC directory) on the machine being scanned AND on the networked location.  Using the Redirected folders, the users' profile is on the server AND there's an offline copy on each machine the user uses.  This creates a sh__load of network traffic to do the redundant scans.

    IMHO MRT should scan only the copy of a file sitting on the machine being scanned at the time.


    - Michael Faklis

    Wednesday, June 20, 2012 7:28 PM

All replies

  • ... and the question is ?

    1. Perhaps the Process Monitor would give you the answer about the functionality of MRT.

    2. I have look for MRT internals, but nothing specific found.

    3. The security is not restricted to MRT, there are other solutions...

    Regards

    Milos

    Wednesday, June 20, 2012 8:14 PM
  • Hi,

    Do you mean if you disable this malicious software removal tool, this issue would be gone ?

    Alex Zhao

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Alex Zhao

    TechNet Community Support

    Thursday, June 21, 2012 9:06 AM
    Moderator
  • When MRT is installed, it does a default Quick scan for low-hanging fruit.  The full scan scans offline files on the PC being scanned as well as the server where the master files are kept.  This is where the problem lies.  The customized scan allows you to add folders to the quick scan.  There is no option to tell MRT to ignore networked drives and/or redirected folders.

    I say, IMHO let MRT scan the computer it's running on (period).   Mirrored copies (in CSC) can be scanned on the local machine in the CSC folder, but the master files that are referred to by offline files (mirrored) and redirected files (on another machine, and probably mirrored) should be scanned on the machine they reside on.  There's no need to drag down the network (and network clients) with redundant scans of remote files.


    - Michael Faklis

    Thursday, June 21, 2012 8:09 PM
  • Hi,

    Does this issue still trouble you?

    Regards,

    Alex Zhao

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Alex Zhao

    TechNet Community Support

    Monday, June 25, 2012 2:03 AM
    Moderator
  • Alex:

    Doesn't it bother you, or are you obligated to minimize open cases?

    As is, MRT is a problem for anyone residing in a networked environment.  It may be that most Windows users are running a single machine without a networked infrastructure.  In my circle of friends and colleagues the official data stores are all on the network servers and their primary workstaions is using encrypted offline files, or accessing the network directly.

    Yes, IMHO this is a problem.


    - Michael Faklis

    Monday, June 25, 2012 1:48 PM
  • Hi,

    As we know, Malicious Software Removal  Tool is used to help users to remove malicious software from computers. So, based on my understanding, a basic scan should be performed to check the areas of the system most likely to contain malicious software. The customized scan is just to add the contents of a user-specified folder. This is just designed for security.

    Meanwhile, Microsoft Malicious Software Removal Tool does not replace an antivirus product, it is just used to remove malicious software from an already-infected computer, but Antivirus products block malicious software from running on a computer. So we strongly to recommend to install a antivirus product.

    Alex Zhao

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Alex Zhao

    TechNet Community Support

    Tuesday, June 26, 2012 2:53 AM
    Moderator
  • Interesting.  Rather than fix the problem, you seem to twist the justification in order to declare it a feature and not a problem.  That's an old trick of "IBM" back when they were the industry leader. 

    "We" believe that MRT is just one tool in the arsenal to identify and fix malware.  No one should depend upon MRT, just as no one should depend on any single tool.  "We" believe that adequate security should be based on multiple layers of tools including but not limited to firewalls, anti-malware (of different types including anti-virus), and limited user authorization.  Additionally, adequate protection doesn't rely on a single vendor's solution.  It's reasonable to assume that security tool "A" is checking a different subset of known threats than product "B", and even were there is overlap the two products are checking the same threat in a different manner.

    So while MRT is just another tool in your arsenal of anti-malware tools, it should not clog up the network, client machines, or servers with redundant checks across the network.  IMHO, this is a bug that MS should be notified of so they can fix it.

    So I agree with part of your last post, but MRT's full full system scan needs to be fixed.


    - Michael Faklis

    Tuesday, June 26, 2012 1:54 PM
  • Hi Michael,

    Thank you for your feedback on MRT product.

    But how do you identify MRT causes network traffic? MRT is now released as an important update to our customer to defend against malicious software. I mean, it would be a Serious problem if the product does have this problem. I'd appreicate if you could share your finding with us. I also capture a Process monitor during MRT scanning, but no packets are sent by MRT.

    Could it possiblity be a system perf issue on the specific machine? My assumption is that, if a server is running out of RAM/CPU resource, and running a MRT full scan at that time, possiblely, it slows down the system and eventually affects responses to network packets.

    Thanks, Brian


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, June 28, 2012 2:24 AM
  • I opened the Resource Monitor applet for the machines on my test network.  IP traffic rose, and performance dropped, when MRT was scanning local copies of offline files on both that machine and the machine that hosts the master copy of those off-line files.  There was no network performance hit when MRT was scanning local files.

    - Michael Faklis

    Thursday, June 28, 2012 3:24 PM
  • MRT checks local copy of offline files, not network sources. You could try Nemon trace to find the exact process that increases the IP traffic......all I could tell, MRT is generally working smoothly from most feedback, so I could think of the following possibilities:

    1. conflict with a 3rd party app when running? if you do install another security app, you could try completely uninstall it or disable it,  boot machine in Clean Boot status?

    2. virus infected? try full scan using another tool, eg Microsoft Security Essential

    3. still suspect Offline Files/CSC folder? maybe you could completely clear offline files cache and then disable the service, how's MRT running then?

    4. customize scan folder, capture netmon trace, resource monitor

    Thanks, Brian


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, June 29, 2012 11:08 AM