Symantec Endpoint Protection (SEP) Scheduled Scans and Missed Event Handling

Article:TECH175447  |  Created: 2011-11-25  |  Updated: 2011-11-28  |  Article URL http://www.symantec.com/docs/TECH175447
Article Type
Technical Solution

Product(s)

Issue



A scheduled scan starts unexpectedly and does not appear to occur within the configured Retry Interval.


Solution



Missed Scheduled  Scans use the following logic to determine whether a scan was missed:

  1. Look at the LastStart Value in the registry that contains the scheduled scan's settings. This LastStart value contains the date and time from when the last scan completed.
  2. Based on the schedule type, set the first possible date a missed scan should run: 
    • For weekly scans the first possible date would be: LastStart + 7 Days
    • For daily scans the first possible date would be: LastStart +1 Day
    • etc.
  3. Add the Retry Interval to the first possible date to calculate the Missed Event Window. For example, if the Retry interval is configured to be 3 days for a weekly scan:
  •  LastStart + 7 Days + 3 Days

In the following examples a Weekly scan is configured to run Tuesdays at 00:30 with no Randomized Scan times and a Missed Scheduled Scan Retry Interval of 3 days.

The calendar entries illustrate what the Missed Event Window will be when a scheduled scan does or does not run.

In this first example, the machine is switched off a week after the first scheduled scan ran on 22 November. It is switched back on within the Missed Event Window timeframe on 1 December.

It is also switched on when the next scheduled scan is supposed to take place on Tuesday 6 December. This causes the potential Missed Event Window calculated after the 1 December scan to be reset, so no further scans will occur that week:

 

In the example below, the machine was not switched on in time on Tuesday 6 December, the Missed Event Window calculated from the last scan on 1 December still applies in this case.

If the machine is left switched on from Tuesday 6 December onwards, the next scan will occur on Thursday 8 December.

If on the other hand, the machine is switched off on Tuesday 6 December, the next scan will occur whenever it is switched back on within the Missed Event Window: Thursday 8 December - Sunday 11 December.

So if the machine is only switched back on on Saturday or Sunday before 15:54:21 the Missed scheduled scan will run. Since Saturday and Sunday are 4 and 5 days later than Tuesday, this could be perceived as the Missed Event scan starting outside of the 3 day retry interval.

 

Note:

There are some pitfalls when trying to test these missed events by manipulating the system time, that could produce unexpected results:

  • Modifying an existing scheduled scan that has run to completion in the past: The last recorded scan time will be used when the missed event calculation occurs, potentially skewing the results.
  • LastStart value is empty: This can happen when a scan is scheduled, but the machine is shut down, or the system time has changed before the first scheduled scan was allowed to run and complete. The missed event calculation deals with empty LastStart values in two ways:
    • Verify when the scheduled scan was created. If the "Created" value is in a certain timeframe in the past, assume that the scan was missed and run it as missed event. This timeframe varies. For weekly scans a Created time dating 4 Weeks before the system time triggers the Missed Event Scan.
    • If the "Created" value is "recent" a Missed Event is not triggered. The scan will run at the next scheduled time.



Article URL http://www.symantec.com/docs/TECH175447


Terms of use for this information are found in Legal Notices