Probably not everyone is familiar that there is a quite easy way to run quick or scheduled SEP client scans from command prompt, batch scripts or the windows task scheduled with the SEP tool – DoScan. DoScan is not a separate scanner – it does use the same scan engine build-in in SEP – for it to run Autoprotect on the SEP client needs to be enabled.
DoScan.exe is located directly in the SEP installation folder:
- C:\Program Files\Symantec\Symantec Endpoint Protection\Doscan.exe – 32bit OS
- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Doscan.exe – 64bit OS
Important note: Using a direct call to the doscan.exe binary with a SYSTEM account may not work in SEP 12.1. For script usage it is recommended to call the doscan.exe from the following location:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\[SEPVersion]\Bin\doscan.exe (example: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Bin\doscan.exe) – for additional information please check http://www.symantec.com/docs/TECH199513
Here some examples in a historical overview over the options offered in Doscan.exe:
SEP 11 RU5 or earlier:
SEP 11 RU6 MP1 to RU7 MP3:
SEP 12.1 RTM – 12.1 RU2:
For the purpose of the article we will focus the latest version of DoScan.exe as it provides most features.
DoScan.exe [<Scan file/folder name>] [/F[ileList] "<List file name>"] [/Cloudscan or /O] [/ScanFile "<file name>"] [/ScanDir "<folder name>"] [/ScanName "<Configured Scan Name>"] [/L[ist]] [/C[mdLineScan] [/ScanAllDrives]] [/A[sync]|/Sync] [/Help]
Let’s look at those in details:
/L[ist] - Lists all the local and administrator scans configured for this computer.
/ScanName "<Configured Scan Name>" - Runs the specified local or administrator scan.
- No additional scan options can be set – these will be taken over from the scheduled scan settings as configured in the policy
- The name of the scan needs to be specified
/C[mdLineScan] -- Performs a quick scan.
/ScanAllDrives -- Scans all disk drives.
/ScanDrive "<drives>" - Scans the specified drives with default scan options.
For example: /ScanDrive "A-C,E,V-S,Z" scans drives A, B, C, E, S, T, U, V, Z.
/ScanFile "<file name>" - Scans the specified file with default scan options. Multiple files can be specified with multiple /ScanFile switches.
For example: / ScanFile "%WinDir%\notepad.exe" /ScanFile "C:\Test"
/ScanDir "<folder name>" - Scans the specified folder with default scan options. Multiple folders can be specified
with multiple /ScanDir switches.
For example: /ScanDrive "%WinDir%\System32" /ScanDir "%Temp%" /ScanDir "C:\Test"
"<Scan file/folder name>" -- Specifies a single file/folder to scan.
[/O] or [/Cloudscan] - Specifies that the item should also be sent
to the Cloud for scanning.
The switch will only apply to a single file item.
/F[ileList] "<List file name>" -- Specifies a text file that lists full paths
of files/folders to scan.
/O or /Cloudscan - Specifies that the item should also be sent
to the Cloud for scanning.
The switch will only apply if filelist contains a single file item.
/A[sync] -- Start scan asynchronously.
/Sync -- Start scan synchronously. (default)
/H[elp] -- Displays this help dialog.
- Old version on DoScan.exe from SEP 11 RU5 and below did have an addition switch for scan logs location specification:
/Logfile=”Log file path and filename”
- The file needs to be quoted
- The default log path is “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\Doscan.log” if not specific path and file name was specified
This switch has been removed from the 11 RU6 MP1 version onwards and now (as well in SEP 12.1) the logs default to the standard scan log location - same as for the scans from GUI (on example of SEP 12.1):
- + C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.2015.2015.105\Data\Logs\AV\[date_of_scan].log
- + C:\Documents and Settings\All Users\Application Data\Symantec \Symantec Endpoint Protection\12.1.2015.2015.105\Data\Logs\AV\[date_of_scan].log
- The progress of the scan executed from command prompt will run in background and won’t be reflected in the SEP client GUI at all.
- As doscan is not a separate scan engine- it cannot be started from a bootable disk alone and needs Autoprotect on the SEP client to be up and running.
- While a system scan has been executed by doscan, starting another scan from client GUI won’t be possible and will error out with following information:
- DoScan is designed as command prompt execution of SEP scans and an alternative to the scans started from GUI. For scanning large amount of data or network drives a different dedicated for this purpose Symantec Product is recommended that comes with very strong and enhanced command-line support – Symantec Scan Engine.