As an international shipping company began an initial upgrade to Symantec Endpoint Protection (SEP) 11.0.2020, IT administrators in charge of the rollout discovered that a small percentage of the upgraded PCs experienced problems. In particular, a subset of the upgraded machines began performing startup scans that consumed so many system resources that administrators said they were unusable. The behavior could not be explained—no one involved with the upgrade had set any of the machines to perform these scans. An examination of these machines indicated that no scans were checked off in the XP maintenance schedules either. The entire SEP rollout would eventually include over a thousand Windows XP PCs, but administrators halted further deployment after the first hundred machines. Until the source of the mystery scans was tracked down, further upgrades would be put on hold.
A call from the web
Symantec support was first contacted over the Symantec MySupport premium Web site. Scott, an expert on SEP upgrades, fielded the case, triggering an internal notification to the company's personal Symantec Business Critical Account Manager (BCAM). The BCAM sent an email to the company immediately, detailing who was on the case. In the meantime, Scott analyzed the trouble ticket and sent a query to the company to get further details on the mystery scan environment. "I've been working with Endpoint since its first rollout. We make sure we cover all the bases initially," said Scott. "We need to make sure they are using the latest version of Symantec software, what types of systems are running, and what versions of operating system software are in use." This detailed information about the operating environment is essential to tracking problems. Once this information was in hand, Scott took the next steps.
Scanning for scans
One of the first things Scott noticed was that many of the machines in the server group were being upgraded from Symantec Antivirus v10 to the latest version of SEP. Past experience indicated that scans often times originated from the Registry. Scott came up with a quick plan of action for the customer to scan the affected machines for particular Registry information. "We were looking for very specific scheduling information that could be in the Registry," said Scott. A detailed Registry entry was sent to the client so that they could search for the Registry entries on the affected PCs. Scott also offered to perform the searches himself if the customer sent the Registry files to him via email or through file transfer. As he suspected, the Registries showed that scheduled scans left over from an earlier antivirus installation were being used by the new SEP installation.
Scott then offered the customer tools for removing the errant Registry entries, but administrators at the company devised their own script to scan machines and remove any leftover scan schedules before applying SEP upgrades. After following this procedure for the initial upgrade group, SEP kicked off normally, and no users experienced unexpected scans whatsoever. Upgrades for the rest of the enterprise then continued on schedule. The customer was obviously pleased with Scott's work. "Scott deserves a real 'atta boy' on this case," one of the company administrators said in an email to his BCAM representative.