Endpoint Protection

 View Only

  • 1.  Warning clients of scans and snoozing

    Posted Nov 08, 2007 02:04 PM
    I run SAV 9
    Is there something I can do that will allow me to warn my clients ahead of time that there scheduled scan is going to start in x minutes and give them the option to snooze it for an hour?
     
    If yes, how do I do that?
     
    I figured out how to set it up so that once the scan starts it shows the progress of the scan and enables the pause button. Then if they click that it gives them the option to snooze for an hour. My problem with that is that the snooze 3 hours button is also visible (just greyed out). Is there a way to get rid of that button all together. I can just imagine people asking me to enable that 3 hour snooze option and I really don't want to do that.
     
    Thanks,


  • 2.  RE: Warning clients of scans and snoozing

    Posted Nov 08, 2007 03:57 PM
    I've debated this issue many times...and I'll share my opinion, disregard if you like.

    AntiVirus is a security application, and it's there to do it's job.  A 'perfect' AV implementation would be completely transparent to the end user...but we all know that's not possible. One of the most 'invasive' activities that AV can engage in is a full disk scan, which is necessary. Symantec answers with some pause options that are configureable, and some people will debate wether it's worthwhile to even engage the end user with the ability to pause the scan.  I am not one of those, but the question remains...how should you configure the pause options???

    Let's take a step back...what's the purpose of a full disk scan to begin with?  As the AV is running all the time and protecting anything 'bad' from getting on the disk, really the primary purpose of a full disk scan is to ensure that new defs don't detect something that old defs might not have.  So, that's relevant and important...but how relevant and how important?  Is it worth disrupting business?  To what degree?  Most people seem to agree that a 'once a week' scan is enough to mitigate the threat...and I tend to agree, but as data volume continues to grow on local clients..the scan takes longer and longer...one could argue that even once a week in pretty invasive.   One should assess their client technical and cultural environment to really figure out what's best.  I would suggest that more than once a week is too much and that less than once a month is too little.  (you can schedule bi-monthly scans by creating two monthly scans)

    Now to the point of pausing a scheduled scan.  The client machine is there for a business purpose, which is not to run AV scans.  But, those scans are important to ensure that the client can continue functioning without a virus/spyware issue.  So where's the middle ground?  I would suggest that if you're targeting a weekly scan, your goal is really to get a client scan in every 7 to 8 days...not to get all your client scans done by a specific time (say... noon on Monday).  With that in mind, what's the harm in letting the client pause up to the max (3 hours X 5 pauses)  That will give the business user the ability to get through their day without being 'hindered' by a scheduled scan.  You don't want an end users functionally ability to be unnecessarily hindered, particularly if they’re in a critical situation such a presentation or demonstration of some sort.  Worst case scenario, they pause 3x for 5 hours, then they are really then at the mercy of the scan as they will no longer have the ability to pause it.

    So, if your goal is indeed to complete the scan by a specified time, schedule the scan for a day earlier and let them pause away!


    ***EDIT...After all that I didn't even answer your original question!!!  Sorry.  I'm not aware of the ability to notify the end user of an upcoming scan....



    Message Edited by AMoss on 11-08-2007 12:58 PM

    Message Edited by AMoss on 11-08-2007 01:09 PM


  • 3.  RE: Warning clients of scans and snoozing

    Posted Nov 09, 2007 03:31 PM

    Hi kickballmvp2006 and AMoss

     

    We have included this option in Symantec Endpoint Protection 11.0. After you upgraded to the current version go to Policies – Antivirus and Antispyware and define the Pause options in the Advanced Tab of the Administrator defined scans.

    You can also tune the scan for optimal application performance. The scan will then take quite some time but the impact on the PC is minimal.

    I know we had this option in earlier version as well and some customers reported that it made no real difference anymore :( A few years ago the bottleneck for scanning was the CPU so we throttled the CPU usage. As CPUs got more powerful the bottleneck is now the disk. So we had to changed the implementation of this function to limit the disc access instead of limiting CPU usage. Now it makes a real difference again :)

    Carsten



  • 4.  RE: Warning clients of scans and snoozing

    Posted Nov 12, 2007 12:03 PM
    Carsten, I would disagree. While it is true that "throttling" settings made no difference in older versions, the same is true for this product as well. Regardless of what setting we choose, if a person is not working on their machine, and the scan starts, they are almost limited to no productivity as has always been the case. However, if a person is already actively working on something, they get enough time to save their work before SEP client takes over most CPU cycles. This is the only difference from legacy SAV.