Video Screencast Help

about virus scan

Created: 08 Jul 2012 • Updated: 09 Aug 2012 | 12 comments
This issue has been solved. See solution.

I've set up in SEPM to run virus scan every friday only. and do not run virus scan when new virus definitions arrived. and do not run start up virus scan.

so the virus scan will run when a file is loaded by user only. is it right?

if the answer is no, there must be somewhere in SEPM that need to configue to change viurs scan behavior. can someone tell me where they are?

if the answer is yes. things become quite strange:

i can see "ccSvcHst.exe" in Windows task manager that has I/O read frequently.

and meantime i check in SEP client interface that "view file system auto protect summary" shows virus scan is scanning my other partitions of my HDD (not system partion), but i do not run any program to access them.

can some one tell me why?

Comments 12 CommentsJump to latest comment

cus000's picture

auto-protect scan will happen when a file is being accessed or modified...

 

can you tell us what exactly you wanted to configure? to avoid full scan or SEP to load when the system start?

Leo Young's picture

I mean that i've already configure in SEPM not to run scan at any time except every friday.

But it seems that SEP clients will still run a full scan (it scan my other partitions of my HDD and i didn't access them) at sometime i am using PC (not at start up) and i don't know what make this happen because i've cancelled all scan settings except firday.

 

 

cus000's picture

Can you share your SEP Scan log?

Did you have any delayed scan from past weeks?

Leo Young's picture

i checked in my SEP scan log. i didn't see any log about the event i mentioned.

and i didn't configure SEPM to run a delayed scan.

so that means there is some process accessing my other partitions of HDD? 

but i didn't run any other softwares except outlook, IE and remote desktop.

and i also disabled windows XP system recovery service.

so how come ?

greg12's picture

ccSvcHst.exe is the successor of rtvscan.exe and performs scans and Auto-Protect. Auto-Protect is always running in the background and scans every accessed or modified file. So, even if there are no scheduled scans Auto-Protect is working. Always.

You have a lot of Auto-Protect I/O because Windows is accessing tons of files every second that A-P has to check. You can use the procmon.exe tool (sysinternals.com) to get an impression of it. It's possible to disable Auto-Protect, however this is not a good idea because it's still the most important SEP security feature.

In the SEPM console, you can change Auto-Protect bahvior in a way that it only checks modified (not accessed) files:

Clients > [Group] > Policies > Virus and Spyware policy > Auto-Protect > Advanced Scanning and Monitoring > Scan when a file is modified

BTW, it's highly probable that ccSvcHst.exe also does other things than scanning, therefore don't be surprised if it keeps working hard even after you have changed this setting.

HTH!

Leo Young's picture

I know that ccSvcHst.exe performs scans and Auto-Protect.

I put many Documents and Softwares in my non system partitions, I am puzzled that why SEP always scan these files and i do not ask SEP to do, It takes much time. HDD is working hard and I can hardly use my PC at this period. And it seems that SEP runs such scan randomly,

and to change Auto-Protect behavior as you suggest is not a good idea i think which may cause some safety risk.

and if ccSvcHst.exe does other things than scanning, can someone know what does it really do.

 

 

Leo Young's picture

I've already opened a case but seems no solution so far to now.

I just want to know why SEP always keeps scanning my non-system partitions? i don't make any access to them.

cus000's picture

I guess only Technical Support can help you for detailed check.

 

Any update from them yet?

Leo Young's picture

It seems that STRSP is working. And by default, "scan file high-speed cache when new definitions arrived" is enabled. After I disable this feature, everything seems ok.

will it cause security issue if I disable this feature?

SOLUTION
cus000's picture

Not that i can think any... it just lower security posture a bit..

maybe others can comment more about this feature?

 

"scan file high-speed cache when new definitions arrived"

Leo Young's picture

I contact to symantec and get the result : it is ok that to disable this feature will get no hurt.