Video Screencast Help

AV Scan options

Created: 12 Sep 2013 | 5 comments

I thought the 12.x client had the ability to not rescan files over and over. Scan Only the files that have changed. 

Please let me know were we can change this option

Operating Systems:

Comments 5 CommentsJump to latest comment

ᗺrian's picture

I believe this setting in the AV policy

untitled_40.JPG

AV policy >> Auto-Protect >> Advanced Scanning and Monitoring

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

San1985's picture

Hi Brian,

Sorry , I m lookig this option for scheduled scans , is this setting applicable for schedule scans ?

from above screen shot for us all options are same except one "instead of scan when file is modified we have selected Scan when a file is accessed or modified "

I think both options are  same .  is it correct ?

ᗺrian's picture

This should only apply to auto-protect

I believe for scheduled scans this is automatically determined by the SEP client. I've not seen any settings like this for a scheduled scan.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Scan when a file is accessed or modified

Choosing this option causes Auto-Protect to scan files when they are written, opened, moved, copied, or run. Use this option for more complete file system protection. This option might affect performance because Auto-Protect scans files during all types of file operations.

Scan when a file is modified

Choosing this option causes Auto-Protect to scan files when they are written, modified, or copied.

Note: If a threat is moved within the same volume or renamed when Auto-Protect is configured to scan on modify, the threat will not be detected.

Use this option for slightly faster performance, because Auto-Protect scans files only when they are written, modified, or copied.

Configuring these settings:

It is possible to choose the desired Auto-Protect behavior by following these steps:

  1. Login to the Symantec Endpoint Protection Manager (SEPM)
  2. Click Policies Virus and Spyware Protection
  3. Right-click your Virus and Spyware Protection policy and click Edit
  4. Click Auto-Protect > Advanced Scanning and Monitoring...
  5. Select the desired Auto-Protect behavior

scan_advance.JPG

Check this Article:

SEP 12.1 and Advance Scanning

https://www-secure.symantec.com/connect/articles/sep-121-and-advance-scanning

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

I would be glad to answer your query.

Have you checked with Shared Insight Cache (SIC)? Also other settings can be used to improve the scan the performance.

Shared Insight Cache (SIC) is a server application which caches known clean files in order to optimize scan performances.SIC server is mainly designed for virtual environment but usage on physical system is supported given that network latency is kept at an absolute low.SIC server keeps a record in memory (ram) of files which are voted clean by system performing scans 

First SEP client needs to scan a file.  Queries SIC and finds no record.  SEP scans the file and sends the results to the SIC.

Subsequent SEP clients need to scan the same file.  They query the cache server and find the file has already been scanned with the same version of defs and the file is clean.  SEP client skips scanning the file.

When a second client run the scan it goes though the same process and since the file is cached on the SIC therefore will skip the scan. 

Shared Insight Cache is only available for the clients that perform scheduled scans and manual scans. 

Shared Insight Cache runs independently of Symantec Endpoint Protection. However, you must configure Symantec Endpoint Protection Manager to specify the location of Shared Insight Cache so that your clients can communicate with Shared Insight Cache. No special license is required to install or run Shared Insight Cache.

The tool is located on SEP 12.1 DVD under 
\Tools\SharedInsightCache
 
Helpful Links:

Symantec Endpoint Protection Shared Insight Cache User Guide 12.1

http://www.symantec.com/docs/DOC4334

Shared Insight Cache - Best Practices and Sizing guide

http://www.symantec.com/business/support/index?page=content&id=TECH174123

Installation and Configuration of SEP Shared Insight Cache

http://www.symantec.com/docs/TECH185897

Viewing Shared Insight Cache events in the Cache Server log

http://www.symantec.com/docs/HOWTO55316

How Shared Insight Cache works

http://www.symantec.com/docs/HOWTO55318

Also check this article: https://www-secure.symantec.com/connect/articles/sep-121-and-advance-scanning

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<