Endpoint Protection

 View Only
  • 1.  SEP 12.1.2 full scan results inconsistent

    Posted Apr 03, 2013 06:40 PM

    We're testing SEP 12.1.2 on a 64-bit Windows 7 Pro client.    When we run a full scan, sometimes we get a large difference in the number of files scanned.   For example, sometimes SEP will report 170,000 files scanned, then if we immediately run another full scan, SEP will report 80,000 files scanned.  

    Has anyone come across this?  Could be something to do with new AV defs being loaded and SEP scanning.    We are aware that the scans have been improved over SEP 11 and that SEP 12.1 keeps track of what has already been scanned so it won't have to scan them again.   Could be something like SEP rescanning everything on the first manual full scan after new AV defs are installed.

    We appreciate any enlightenment anyone can provide.



  • 2.  RE: SEP 12.1.2 full scan results inconsistent

    Posted Apr 03, 2013 06:50 PM

    Enable VPDebugging and run the scans again. You can than compare them to see what is going on.

     

    How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0, 12.1, and 12.1 RU1

    Article:TECH102939  |  Created: 2007-01-15  |  Updated: 2012-03-13  |  Article URL http://www.symantec.com/docs/TECH102939

     

    How to log all files and directories scanned during On-Demand / Scheduled Scan with Symantec Endpoint Protection 11.0

    Article:TECH103126  |  Created: 2007-01-18  |  Updated: 2010-01-26  |  Article URL http://www.symantec.com/docs/TECH103126

     

    The second KB article will show you what to look for.

     



  • 3.  RE: SEP 12.1.2 full scan results inconsistent
    Best Answer

    Posted Apr 04, 2013 02:33 AM

     After identifying trusted files, Insight allows the normal scan to skip them from being scanned everytime, which increases the scanning speed and hence the performance of the computer. . It scans only those flies which are not trusted or some trusted files which you modified. Hence less number of files are scanned. However, you can get all of them scanned by changing scan performance profile

     

    Allow all scans to skip trusted files

    Virus and spyware scans include an option called Insight that skips trusted files. By default Insight is enabled. You can change the level of trust for the types of files that scans skip:

    • Symantec and Community Trusted

      This level skips files that are trusted by Symantec and the Symantec Community.

    • Symantec Trusted

      This level skips only files that are trusted by Symantec.

    See Modifying global scan settings for Windows clients.

    if you uncheck this , you should get more or less same number of files

    http://www.symantec.com/business/support/index?page=content&id=HOWTO80964



  • 4.  RE: SEP 12.1.2 full scan results inconsistent

    Posted Apr 04, 2013 05:00 PM

    Thanks Rafeeq - On the client, we went into the UI and changed the Virus and Spyware settings =>Global Settings=> and unchecked Enable Insight for:

    The manual scans consistently reported around 174,000 files scanned.

    We went back in and check Enable Insight for: Symantec Trusted.   The manual scans reported 81,000 files consistently.

    However, that still doesn't explain why, with Enable Insight for: Symantec Trusted, the first full scan after AV updates reports 174,000 files scanned and then immediately running a full scan afterwards reports 81,000 files scanned.    It appears that the AV updates causes everything to be rescanned for the first scan after the update.

    This may be normal behaviour.  We don't know as this is our first testing with SEP 12.1

    I'm going to open an incident with Support and see what they say.

    For now, I'll mark your answer as the solution/potential workaround.

    FYI, for custom scans there is an option to uncheck Insight checking as well without changing the global settings on the client.



  • 5.  RE: SEP 12.1.2 full scan results inconsistent

    Posted Apr 04, 2013 08:38 PM

    Please post back here if you can as I'm curious to the final result.

    I've never seen over half the file count be considered trusted. I have desktops that scan 200,000 items only about 1,500 are considered trusted.



  • 6.  RE: SEP 12.1.2 full scan results inconsistent

    Posted Apr 08, 2013 05:59 PM

    The answer from Symatec Support is that this is normal behaviour for  the SEP 12.1 client.

    Support says that the first full scan after an AV defs update rescans everything, including the file cache.  Subsequent full scans performed before the next AV defs update does not rescan everything as some files are marked as already having been scanned.   Support says the product was designed this way for performance.   

    In our scans, we're seeing between 1,500 and 3,000 files trusted, but the apparently the number of trusted files are not the reason for the difference in the full scan counts.

    We tested full scans with Insight turned off and the results were consistent with the higher number of files (about 170,000).   The only reason for this that I can think of is that turning off Insight for scans always forces scanning of all files similar to that which happens after an AV pattern update in addition to trusted files..

    So, the bottom line is that after talking with support we've turned Insight back on for scans.   Evidently, what we are seeing is normal and is just the way the product works.  We've got SEP 12.1.2 running on both 32 and 64 bit clients and the full scans all act the same - high file count after an AV pattern update then subsequent full scans report a lesser number (~50% fewer) of files scanned until the next AV defs update.

    Have you tried running back to back full scans after an AV defs update?

      

     



  • 7.  RE: SEP 12.1.2 full scan results inconsistent

    Posted Apr 09, 2013 02:16 AM

    Thanks for sharing the info Wally..:)