Endpoint Protection

I've noticed that nearly every day SEP slows my computer, and it seems to be caused by it automatically running a Defwatch Scan...which seems to be occurring after receiving new definitions. I searched the forum and found a previous post regarding this issue (https://www-secure.symantec.com/connect/forums/sep-121-defwatch-scan).

Since I'm running a version above 10.1.x, it sounds like I should be able to prevent this from happening without having to go into the registry. However, the menus, etc., described in the instructions don't seem to be the same as those I see in SEP. By looking around, I was able to find what I think to be the setting described. Here's what I've done: Antivirus and Antispyware Protection > Options > Change Settings. Under the File System Auto-Protect tab, click Advanced, under File cache there's a checkbox for "Rescan the cache when new definitions load".

I unchecked this box yesterday, and yet the Defwatch Scan initiated today after receiving new definitions again. Is this the wrong setting? Do I need to go the route of messing with the registry (I've been avoiding that since I'm not too tech saavy and don't want to screw anything up)?

(Edit: Added clarification.)

what version of SEP is installed?

you cannot manage the SEP client using SSC console.

Hi Fishman396,

A few questions.... first off, what version of SEP are you using?  If it is anything earlier than the recently-released SEP 11 RU7 MP2 or the SEP 12,.1 RU1 MP1, then I encourage you to upgrade.  That way you will have the advantages of all the latest  product enhancements and improvements.

Second: is this a self-managed SEP client, or deos it receive policies from a management server (SEPM)?   If it is managed, then teh admin can disable teh defwatch scans more effectively than an end user:

The quarantine scan on virus definition update can be disabled in the  Symantec Endpoint Protection Manager (SEPM): edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".

Third: what is the spec of your computer?  Most modern machines can process the scans, etc of SEP without any noticable performance hit. 

Hope this helps!

I'm using version 11.0.4202.75.

The reference to the SSC was an accident; I edited my post to change this.

Agree to Mick2009!

the version you using is too old, upgrade it to the latest one.

can you please check if the policy set at SEPM is applied on client by comparing the policy serial number.

I'm using version 11.0.4202.75 at the moment. I should probably upgrade like you mention and likely will, however I'm not sure how soon I'll get around to doing that.

It's self-managed.

My computer's got a 2 GHz processor with 2 GB of RAM. It's not very new--about 6 years old--and while I'm thinking about getting a new one sometime in the next few months, it still works pretty well for almost everything I do. I think with most things I do scans don't cause much of a problem, but I've been noticing it when using the internet...my browser ends up freezing quite a bit for some reason.

Any thoughts on what I can do for now?

ahh. self managed will not get the updates from SEPM. You have to manually do it by copying the working policy onto this client.

Just an extra note: tehre have been a number of improvements to DefWatch behavior over the life of SEP 11.

Release notes for Endpoint Protection and Network Access Control 11
Article: TECH103087   |  Created: 2007-01-12   |  Updated: 2012-04-26   | 
Article URL http://www.symantec.com/docs/TECH103087

The most important one:

Files re-detected during Defwatch scan
Fix ID: 2067778
Symptom: DWHxxxx.tmp files are being re-detected when Defwatch scan is running.
Solution: Fixed some scan issues, making the scan faster. Also created a separate folder to rescan Quarantine items that can be used to create exceptions.

Is there an explanation for how to do this somewhere?

why not make it managed client?

Hmm, never thought about it...how can I make it a managed client?

Hello,

Check this Article on How to change a Symantec Endpoint Protection client from unmanaged to managed in MR3 and later

http://www.symantec.com/docs/TECH90761

NOTE: You would require the Symantec Endpoint Protection Manager (SEPM) installed on your server machine to have the client get managed by SEPM.

Hope that helps!!

For a unmanaged client you can disable the defwatch scan through the registry by following the steps in the doc below.

http://www.symantec.com/docs/TECH105373

Also I have cut out the steps directly here as well. You would want to change the value to 3 in this case.

To disable the DefWatch Wizard scan

If you want to leave this pop-up enabled, but prevent its display after definitions have been updated when no one is logged on, disabled the DefWatch Wizard's scan of items in quarantine. This can be done by editing policy in the Endpoint Protection Manager: Antivirus and Antispyware policy->Quarantine settings, and set "When New Virus Definitions Arrive" to "Do nothing." On SEP Small Business Edition, or on unmanaged clients, this setting is not available in the GUI and you must set the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\DefWatchMode=3 (REG_DWORD).

DefWatchMode
value  action
0          Automatically repair and restore files in Quarantine silently
1          Repair the files in Quarantine silently without restoring
2          Prompt user
3          Do nothing