I think we have it figured out. At approximately the same time we've been seeing the IOP storms, the team that manages our Symantec Endpoint Servers is updating the virus definition files. It seems the policy is to grab the update as soon as it's available, which is normally in the 200-300 meg range. I'm not sure what Symantec does with the file once it has it but whatever it is causes huge I/O. I'ts not scaning because the scan logs don't reflect that a scan was performed. Anyone know what Symantec Endpoint client is doing with the file once it has it besides a simple copy?
We'll know for sure this coming Thursday. THey are going to call me and let me know as soon as the file has been updated on the server. If my theory is correct, the IOP storm should begin shortly after.