We're testing SEP 12.1.2 on a 64-bit Windows 7 Pro client. When we run a full scan, sometimes we get a large difference in the number of files scanned. For example, sometimes SEP will report 170,000 files scanned, then if we immediately run another full scan, SEP will report 80,000 files scanned.
Has anyone come across this? Could be something to do with new AV defs being loaded and SEP scanning. We are aware that the scans have been improved over SEP 11 and that SEP 12.1 keeps track of what has already been scanned so it won't have to scan them again. Could be something like SEP rescanning everything on the first manual full scan after new AV defs are installed.
We appreciate any enlightenment anyone can provide.
Enable VPDebugging and run the scans again. You can than compare them to see what is going on.
How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0, 12.1, and 12.1 RU1
How to log all files and directories scanned during On-Demand / Scheduled Scan with Symantec Endpoint Protection 11.0
The second KB article will show you what to look for.
After identifying trusted files, Insight allows the normal scan to skip them from being scanned everytime, which increases the scanning speed and hence the performance of the computer. . It scans only those flies which are not trusted or some trusted files which you modified. Hence less number of files are scanned. However, you can get all of them scanned by changing scan performance profile
Allow all scans to skip trusted files
Virus and spyware scans include an option called Insight that skips trusted files. By default Insight is enabled. You can change the level of trust for the types of files that scans skip:
Symantec and Community Trusted
This level skips files that are trusted by Symantec and the Symantec Community.
This level skips only files that are trusted by Symantec.
See Modifying global scan settings for Windows clients.
if you uncheck this , you should get more or less same number of files
Thanks Rafeeq - On the client, we went into the UI and changed the Virus and Spyware settings =>Global Settings=> and unchecked Enable Insight for:
The manual scans consistently reported around 174,000 files scanned.
We went back in and check Enable Insight for: Symantec Trusted. The manual scans reported 81,000 files consistently.
However, that still doesn't explain why, with Enable Insight for: Symantec Trusted, the first full scan after AV updates reports 174,000 files scanned and then immediately running a full scan afterwards reports 81,000 files scanned. It appears that the AV updates causes everything to be rescanned for the first scan after the update.
This may be normal behaviour. We don't know as this is our first testing with SEP 12.1
I'm going to open an incident with Support and see what they say.
For now, I'll mark your answer as the solution/potential workaround.
FYI, for custom scans there is an option to uncheck Insight checking as well without changing the global settings on the client.
Please post back here if you can as I'm curious to the final result.
I've never seen over half the file count be considered trusted. I have desktops that scan 200,000 items only about 1,500 are considered trusted.
The answer from Symatec Support is that this is normal behaviour for the SEP 12.1 client.
Support says that the first full scan after an AV defs update rescans everything, including the file cache. Subsequent full scans performed before the next AV defs update does not rescan everything as some files are marked as already having been scanned. Support says the product was designed this way for performance.
In our scans, we're seeing between 1,500 and 3,000 files trusted, but the apparently the number of trusted files are not the reason for the difference in the full scan counts.
We tested full scans with Insight turned off and the results were consistent with the higher number of files (about 170,000). The only reason for this that I can think of is that turning off Insight for scans always forces scanning of all files similar to that which happens after an AV pattern update in addition to trusted files..
So, the bottom line is that after talking with support we've turned Insight back on for scans. Evidently, what we are seeing is normal and is just the way the product works. We've got SEP 12.1.2 running on both 32 and 64 bit clients and the full scans all act the same - high file count after an AV pattern update then subsequent full scans report a lesser number (~50% fewer) of files scanned until the next AV defs update.
Have you tried running back to back full scans after an AV defs update?
Thanks for sharing the info Wally..:)