Anti-virus is an essential security tool for companies of all sizes.  We strongly advocate using the corporate chosen anti-virus solution on all computers hosting PTC products.


Anti-virus tools need to be configured to keep the computers safe while allowing applications to run with minimal impact.  Without investing this configuration effort, anti-virus tools can be more harmful to PTC product installations than the viruses they are designed to prevent.  Publicized anti-virus features like on-access scanning can really impact computer performance.  The more aggressive solutions may mark valid applications as viruses, blocking their execution or removing them entirely.  A few even monitor and sometimes block ports.


There are many anti-virus tools on the market and there is no standard tool across corporations.  IT departments spend a lot of effort choosing a cost effective solution that meets corporate security requirements and we are not challenging the corporate tool of choice.  However, we need to focus on one tool to configure in this article.  Current releases of Windows Server and Workstation ship with Windows Defender and that is the tool we will describe in this article.  Please consult your IT department for making equivalent changes in your corporate anti-virus solution.


Windchill Installation

We have first-hand experience with Symantec Endpoint Protection anti-virus silently removing executables from Windchill servers during installation.  Other anti-virus solutions have prevented installation of Windchill by persistently blocking necessary Windchill ports -- even when the anti-virus was temporarily disabled.  Because of these experiences, we recommend not installing the corporate anti-virus solution until after the Windchill software has been installed.  Please install the anti-virus solution as soon as Windchill is installed, even before performing post-installation configuration and especially before installing third-party support tools.  We absolutely need anti-virus in place, just not during Windchill installation.


Anti-virus configuration for Windchill Servers

Now that Windchill and the corporate anti-virus solution are now installed, our next concern is Windchill performance.


Scheduled Full System Scans

Scheduled full system scans are resource intensive and only as fast as the hard drives in the server.  We have experienced server lockups inside lean configured Windchill Development images that were caused by full system anti-virus scans.  In this instance, the only way we could recover was to hard reboot the images.  The root cause included:

  • The servers didn’t have enough resources to run Windchill and the anti-virus scan simultaneously.  The obvious solutions for this are A) assign more resources to the server or B) shut down Windchill before starting the full server anti-virus scan and restart it after the scan completes.
    • The default scheduled scan ran during regular server usage hours.  It wouldn’t have been an issue if the scheduled task had been configured for after hours when the machines sit idle.
    • The Microsoft default configuration for the scheduled scan was to not be interrupted once it started.  The full scan needs to complete, but if it can’t be interrupted the machine remains locked up for the duration of the scan.

The solution for these development systems was to update the scheduled full system scan to run during off hours.  We scheduled it for 3:00 AM, stopped it if it ran over an hour, and enabled task interruption if a user wanted to work at 3:00 in the morning.

  1. Open Windows Task Scheduler and navigate to Windows Defender: Windows Task Scheduler (Local) > Task Scheduler Library > Microsoft > Windows > Windows Defender
    1. Select “Windows Defender Scheduled Scan” > Right Click > Properties
    2. Update the Trigger to 3:00 AM daily
    3. Switch to the Conditions tab and configure as desired.

On-Access Scan

As mentioned previously, on-access scanning can really impact Windchill’s responsiveness.  On-access scanning is a significant load to the processor which competes with Windchill and the operating system for CPU cycles.  Excluding software load points from anti-virus scanning helps regain Windchill performance.


These locations may be on the same server or across multiple servers.  In this example, most PTC software is installed under <drive>:\PTC\*.  Locations may vary in customer environments.  There may be additional load points depending on what is installed: Arbortext, additional CAD systems, Windchill Workgroup Manger, Thingworx Navigate, PTC System Monitor, etc.  Ask your Windchill System Administrator for a complete list of locations in your environment.


We may not know what paths or ports are utilized by an individual process.  Excluding application specific executable processes from anti-virus scanning also helps regain Windchill performance.

  1. Open Windows Defender Settings
    1. Scroll down to Exclusions and select "Add an exclusion" hyperlink.
    2. Exclude the following folders and processes.  Close the settings window when finished.



Application

Example Folder Locations

Processes

Windchill

Windchill load point: D:\PTC\Windchill_11.1

File vaults load point: E:\PTC\vaults

httpd.exe

java.exe (or if using named processes) java_*.exe

opendj_service.exe

prunsrv-64.exe

rotatelogs.exe

windchill.exe

SQL Server

(database)

Software load point: %ProgramFiles%\Microsoft SQL Server

Software load point: %ProgramFiles(x86)%\Microsoft SQL Server

Datafiles: D:\MSSQL

Log files: E:\MSSQL

TempDB: E:\MSSQL

fdhost.exe

fdlauncher.exe

SQLAGENT.EXE

sqlbrowser.exe

sqlceip.exe

sqlserver.exe

sqlwriter.exe

Oracle

(Database)

Software load point: D:\apps\

Datafiles: D:\Oracle

Log files: E:\Oracle

java.exe

oracle.exe

SOLR Server

SOLR Server load point: C:\PTC\SOLR_11.1M020

SolrServer.exe

WVS CAD Workers

CAD Worker load point: C:\PTC\WVS\CreoWorker1

CAD Worker load point: C:\PTC\WVS\CreoWorker2

Shared folder: C:\PTC\WVS\PubTemp

WorkerDaemon.exe

workermonitor.exe

workerhelper.exe

Creo Parametric

Creo load point: %ProgramFiles%\PTC

Default local cache: %appdata%\PTC

creoagent.exe

genlwsc.exe

nmsd.exe

mcp_applet_async.exe

parametric.exe

pro_comm_msg.exe

xtop.exe

zbcefr.exe


Anti-virus configurations for clients

Anti-virus configuration on client computers is also important.


Scheduled Full System Scans

Follow the same philosophy with respect to full system scans.  They are important but should run after hours or when the user isn’t at the computer.  Computers must be running to scan.  If users shut off their computers at the end of the day, schedule the scan to run when idle for a period of time.


On Access Scanning

We want to exclude PTC products like Creo View, Creo Parametric, and the Windchill Workgroup Manager from on-access scanning.  When using a third-party CAD application, we also want to exclude the third-party CAD system from anti-virus scanning.


Application

Folder Locations

Processes

Creo Parametric

Creo load point: %ProgramFiles%\PTC

Default local cache: %appdata%\PTC

creoagent.exe

genlwsc.exe

nmsd.exe

mcp_applet_async.exe

parametric.exe

pro_comm_msg.exe

xtop.exe

zbcefr.exe

Windchill Workgroup Manager

%AppData%\PTC

%commonprogramfiles%\PTC

C:\PTC

%PTC_*% locations

creoagent.exe

genlwsc.exe

inventor2pv.exe

PTCWFSService.exe

pvsthumb.exe

sw2pv.exe

uwgm_client.exe

zbcefr.exe

Autodesk Inventor

C:\Autodesk2017\

Inventor.exe

mitsijm.exe

node.exe

SolidWorks

C:\SOLIDWORKS Corp

C:\SOLIDWORKS Data

SLDWORKS.exe

sldProcMon.exe


Browser Scanning

Some anti-virus solutions also scan content loaded into the browser.  McAfee ScriptScan is known for impacting browser performance for web sites using JavaScript (e.g. Windchill).  In these situations, follow the anti-virus vendor’s documentation for white listing Windchill URLs.


Trend Micro has a history of causing Creo download and Windchill page refresh failures to the extent that PTC has recommended removing Trend Micro when running Pro/ENGINEER.  There are no recent articles suggesting removal of Trend Micro with Creo Parametric.  This is merely a historical example.


Validation

Anti-virus configuration isn’t the only culprit for poor Windchill performance.  If performance still suffers, test performance with anti-virus temporarily disabled.  This quick test can definitively confirm or rule out the anti-virus as a performance killer.


Summary

These configuration recommendations should minimize anti-virus’ performance impact while maintaining system security.  Review and update the anti-virus configuration as PTC products are added or removed from computers.