Using Windows Performance Monitor

 

Applies to: Forefront Protection 2010 for SharePoint

All Microsoft Forefront Protection 2010 for SharePoint (FPSP) statistics can be displayed by using the Performance Monitor provided by Windows and usually found in Control Panel, in Administrative Tools. In the Add Counters dialog box, you can add counters for the following FPSP objects:

  • Forefront Engines—Provides statistics about the antimalware engines used by the scanning processes.

  • Forefront Eventing—Provides statistics about the internal queue used for processing incidents, quarantined items, and notifications.

  • Forefront SharePoint On-Demand Scanner—Provides statistics about the on-demand scan.

  • Forefront SharePoint Realtime Scanner—Provides statistics about the realtime scan.

  • Forefront SharePoint Scheduled Scanner—Provides statistics about the scheduled scan.

After you select one of these performance objects, you can view the available counters listed, as well as the instances of the selected object. You can also view explanations about each counter.

About malware and filter scanning performance objects

The malware and filter scanning performance objects include a separate instance for each process being used by that scan job, enabling you to inspect performance counters on a process-by-process basis. This lets you drill down within a particular scan job into the individual processes for that scan job. For example, if you notice that a specific process is consuming resources in Task Manager, you can use the performance counters for that process to profile its behavior. This list of processes is dynamic, so if a process has to restart (for example, due to a scanning timeout), that instance disappears and is replaced by a new process instance.

There are also instances prefaced by underscores that enable you to view counters across processes. The _Total instance displays values across all active process instances. However, when a process exits, its data is no longer reflected in the _Total instance. The _RunningTotal and _CumulativeTotal instances reflect counters for the scan job since FPSP was installed; however, the _RunningTotal counters can be reset. Using these counters, you have access to performance counters even after a process exits.

There are a number of performance counters available in each performance object. The first distinction to note is that the counters are broken down into counters for files and for file parts. Because FPSP navigates through all these parts of a file, and sometimes takes action only on a part (or on multiple parts) of a single container file, these counters are broken out separately. Be aware that many files, for example OpenXML files, are actually container files comprised of multiple file parts.

The second distinction in the available performance counters is between historical and live counters. The majority of counters are historical in that they always increase to reflect how many files or file parts met the criteria. Regardless of when you add these counters into a Performance Monitor session, they always reflect what that process has done since it started. Live counters are for rates – the current file rate (number of files or file parts scanned per second) and the average time necessary to scan a file or file part. These counters are live because they reflect only current values, and are continually reset. (You can change the polling interval for checking counters through Performance Monitor settings.) In order to gain a historical sense of the trends in these rates, you must define data collector sets in Performance Monitor that continually monitor these counters.

Note

For information about how to use this application, see the documentation for Windows Performance Monitor.

See Also

Concepts

Configuring logging options