Client Security slow logon issue

After installing the most recent antimalware update (KB971026), some Client Security customers have reported that their managed Windows XP SP2 and SP3 clients take longer to logon after a reboot. Our support and sustained engineering teams have researched this issue and wanted to provide additional information and workarounds.

Cause

During the initialization of the antimalware service, FCS does the following:

1. Loads the kernel-mode mini-filter(mpfilter.sys) and starts filtering

2. Sets up communication port

3. Creates Engine configuration <-- delay occurs here

4. Creates On-Access worker threads

The problem arises when there is a delay in Step#3. In this situation the mini-filter begins filtering file I/O requests but there are no On-Access worker threads available yet to service the scanning requests. We have found that these delays typically come from network-based file exclusions being set via the Advanced Policy tab in the Client Security management console.

policy_Exclusions

The delays occurs when the client receives the UNC paths (e.g. \\server\share) and they are converted to a device name that the mini-filter uses. During this conversion the FCS client accesses the path in the exclusion. Slow or ACCESS_DENIED responses to these network requests increases the time in Step#3 above and causes delays before the mini-filter requests can be handled (Step#4).

The result is that the file I/O in other processes, including those responsible for logon like Winlogon.exe, is queued until all the network requests for exclusions complete or for the duration of the mini-filter timeout. This issue became more visible in the most recent antimalware update (KB971026) because the mini-filter timeout was increased.

Workarounds

While Microsoft determines the long term solution to this problem, there is a recommended workaround: eliminate network-based file exclusions.

In most causes these exclusions were created to address the issue described in KB939361. This issue can now be corrected by using the DisableScanningNetworkFiles policy setting described in KB971026. Therefore, if you implement the DisableScanningNetworkFiles, you should be able to remove any network-based file exclusions from your Client Security policy settings (screenshot above). This should eliminate the device conversion delay and allow logons to complete in a more timely manner.

 

We will update this blog when more information about this issue is available.

Thanks,
Craig Wiand
Forefront Escalation Engineer