Symantec Endpoint Protection scan causes incremental backup jobs to perform a full backup

Article:TECH102698  |  Created: 2007-01-18  |  Updated: 2012-05-18  |  Article URL
Article Type
Technical Solution


You configure backup software to run an incremental backup job that is based on update sequence number change journal (or USN change journal) entries. After Symantec Endpoint Protection (SEP) runs a manual scan or a scheduled scan, the backup software performs a complete backup job instead of an incremental backup job.

Similarly, DFS (Distributed File System) replicated shares are based on USN change journal, and running Manual or Scheduled Scans against the shared folders will trigger unnecessary replication traffic.


The process of a manual or scheduled scan triggers USN changes.



To solve this issue a feature was added to keep SEP from modifying the file USN.  This feature is called "NoFileMod" and is accessed through the SEP-Client's registry.

When NoFileMod is active it will preserve the USN change journal information when SEP performs a manual or scheduled scan.

  • For 32-bit versions of SEP client, create the following DWORD value and set the value data to 1: 

          HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\NoFileMod 

  • For 64-bit versions of SEP client, create the following DWORD value and set the value data to 1:

          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\NoFileMod

  • On versions prior to SEP RU6-MP2 a side effect occurred when NoFileMod was used that would cause the LastAccesstime to change.
  • This behavior and NoFileMod applies only to manual and scheduled scans. AutoProtect never affects these file attributes in Windows XP (and newer); the mini-filter version of AutoProtect does not open files to scan them so it cannot affect the file times. There is an AutoProtect option named "Preserve File Times" that seems similar; however, this option applies only to AutoProtect in Windows 2000 or older.
  • Version 12.1 may require that Tamper Protection be disabled in order to add the DWord value in the registry.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices