We're testing SEP 12.1.2 on a 64-bit Windows 7 Pro client. When we run a full scan, sometimes we get a large difference in the number of files scanned. For example, sometimes SEP will report 170,000 files scanned, then if we immediately run another full scan, SEP will report 80,000 files scanned.
The answer from Symatec Support is that this is normal behaviour for the SEP 12.1 client.
Support says that the first full scan after an AV defs update rescans everything, including the file cache. Subsequent full scans performed before the next AV defs update does not rescan everything as some files are marked as already having been scanned. Support says the product was designed this way for performance.
In our scans, we're seeing between 1,500 and 3,000 files trusted, but the apparently the number of trusted files are not the reason for the difference in the full scan counts.
We tested full scans with Insight turned off and the results were consistent with the higher number of files (about 170,000). The only reason for this that I can think of is that turning off Insight for scans always forces scanning of all files similar to that which happens after an AV pattern update in addition to trusted files..
So, the bottom line is that after talking with support we've turned Insight back on for scans. Evidently, what we are seeing is normal and is just the way the product works. We've got SEP 12.1.2 running on both 32 and 64 bit clients and the full scans all act the same - high file count after an AV pattern update then subsequent full scans report a lesser number (~50% fewer) of files scanned until the next AV defs update.