Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Client has 52 thousand files but SEP scanned 34.5 million files? Where?

Created: 13 Nov 2012 • Updated: 15 Nov 2012 | 6 comments
This issue has been solved. See solution.

I have a client that has a weekly scan that lasts 28 hours. The client isn't that big with only 52 thousand files on it and I know that 295 files are CABs and 48 are ZIPs and one is a JAR but 34.5 million are a lot of files to be in these compressed files. the largest one only has 6800 files in it.

 

On the SEPM under Protection Technology > Scan Details I have the Network Steeings disabled for, "Scan files on remote computers"

 

One suggestion I got was to turn on vpdebug, but it's more for troubleshooting issues, less on reporting - http://www.symantec.com/business/support/index?page=content&id=TECH103126   If I thought 28 hours for scanning was long this could double it.

 

Can anyone tell me where the other 34,448,000 files are?

Comments 6 CommentsJump to latest comment

.Brian's picture

Did any mapped drives get scanned?

You can run a tool such as windirstat to tell you where all files on your hard drive are located

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

My understading is that it scans all the files including registry, registration entries, services, temp files, etc

sandra.g's picture

My guess is it's counting the files within compressed files, too.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

SOLUTION
Hurricane Andrew's picture

Compressed files are the culprit, and not just zip and rar files.

"Hurricane" Andrew

Felton, Delaware

USAMax's picture

I have gone through most of the compressed files and as I mentioned there is one that has over 6800 files in it. Most of the others have 1 to 45 files. What I did not look for were compressed files within compressed files as SEP will scan down three layers.

Do you realy think there could be more than 600 times more compressed files than uncompressed?

Anything is possible but is there any way to tell other than writing a script as they do not want outside code running on this server?

USAMax's picture

I could not believe these numbers so I spent a lunch our digging into this question. Once I made Hidden System files visible I ran the numbers again. On the client there are; 2 *.jar files, 4 *.zip files and 2967 *.cab files. Just looking through the top 25 files I found 105,969 files within these compressed files.

Basically I checked .8% of the compressed files and found .3% of the 34 million files.

I would have bet against this being true.

Some options are:

  • Disable the option to scan Compressed Files altogether
  • Reduce the number of levels to scan within compressed files (default is 3)
  • Exclude scanning certain compressed files that you believe are the issue, such as .cab and .zip
  • Search the hard drive for large compressed files (for example anything larger than 5Mb), and see where they are located. You can then determine how many files are inside, and whether the compressed file can safely be deleted.