Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Defwatch scan SEP12.1

Created: 03 Dec 2012 • Updated: 11 Dec 2012 | 24 comments
This issue has been solved. See solution.

just noticed on a server 2003 box with SEP 12.1 RU1 that the defwatch scans complete much quicker than the daily scheduled active scan. My understanding is that defwatch and active scan are essentially the same thing. That is certainly what I have been told whenever I have asked. Why does active take about 5 times longer? What is the defwatch scan NOT scanning or why is it so fast?

Comments 24 CommentsJump to latest comment

W007's picture

HI,

Check this thread

https://www-secure.symantec.com/connect/forums/disabling-triggered-scans-sep-121

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Serengeti's picture

Hi, does that link explain the difference in what active and defwatch scan do? Does it explain why defwatch is quicker? I have just checked SEP11 on Server 2003 and same relative scan times are found on that box.

W007's picture

HI,

Check this artical

Information on Symantec Endpoint Protection Scans

https://www-secure.symantec.com/connect/articles/information-symantec-endpoint-protection-scans

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Serengeti's picture

thanks for the link, but it does not explain at all why a defwatch scan should be so much quicker than an active scan.

pete_4u2002's picture

The DefWatch QuickScan has been renamed to an Active Scan in SEP 11.

Article URL http://www.symantec.com/docs/TECH106098

W007's picture

HI,

Check this comments

Vikram Kumar-SAV to SEP Symantec Employee Accredited

 Active scan - Scans common loadpoints ( like startup files, few registry entries,C:\Windows, Temp and User Profile ) and memory. Its is a scan which normally takes 2-5 minutes

 

Active Scan

 

Scans the memory and other common infection locations on the computer for viruses and security risks.

 

Full Scan

 

Scans the entire computer for viruses and security risks, such as adware and spyware. Use this scan to look in the boot sector, in the programs that are loaded into memory, and in all files and folders. A password may be required to scan network drives.

 

Custom Scan

 

Scan only the files and directories that you specify.

 

https://www-secure.symantec.com/connect/forums/active-scan-vsfull-scan

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

W007's picture
This behavior is expected. In Symantec AntiVirus Corporate Edition 9.x or earlier, a Defwatch scan only scans the files that are in quarantine. In Symantec AntiVirus 10.x, the Defwatch scan also runs a Quick Scan. The Quick Scan scans any program files that are loaded into memory and common virus and security risk loading points.

In Sep 11 it's called Active scan

 

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Serengeti's picture

so why does the defwatch scan in SEP11 ans SEP12 complete 5 times quicker than a quick/active scan on the same machine. If you look at the picture I attached you will see thsi clearly,even though the same number of files are scanned by defwatch and scheduled scan

W007's picture

Check this artical

Performance as a feature

https://www-secure.symantec.com/connect/articles/performance-feature

SEP 11                                                                   SEP 12

 

Scan performance is low

Scan performance is significantly improved in SEP 12.1

https://www-secure.symantec.com/connect/articles/few-differences-between-sep-11-enterprise-edition-and-sep-121-enterprise-edition

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Serengeti's picture

Hi Manish, you have posted a lot of links in response to my question but not one that answers my question!

.Brian's picture

We will probably need a Symantec employee to comment on this or you can put in a call to support.

As was already mentioned defwatch scan has been renamed to active scan, which basically scans the common load points and memory.

My only other thought on this is when new definitions arrive, a scan will be done with just those new definitions instead of the entire set, therefore completing more quickly.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Serengeti's picture

thanks Brian. I am working with BCS on this now. I do think the defwatch scan is a distinct scan in that it is triggered by definition update and is not configurable, apart from the ability to disable it and determine whether or not it scans quarantined files or not. Given the huge discrepancy in the duration of a defwatch scan (my SEP 12 scan log refers to defwatch as per my attached screen shot) compared to a scheduled daily active scan, there must be some differences between a defwatch and Active scan. I will keep you all posted. Intriguing stuff! Thanks for your posts.

.Brian's picture

I think it has to do with the option in SEPM "Run an Active Scan when new definitions arrive"

I currently leave this unchecked in production but can enable in our test environment to see what the result is.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Doing some testing, my defwatch scans are taking roughly 5 minutes on average whereas my manual active scan takes roughly 2 minutes on average. About the same amount of files are being scanned. Seems the two scans are the same but different cool

Hopefully BCS gets you sorted out.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Serengeti's picture

yes, that is how you enable a defwatch scan.

What options do you have set for the manual active scan?

.Brian's picture

See below:

I left it at the defaults:

Memory, common infection locations, well-known virus and security risk locations. All file types are scanned as well.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Serengeti's picture

thanks. So a defwatch scan is pretty much locked down as you have seen. I am finding out what a defwatch scan actually does compared to all the various things that a admin-defined active scan can do as it is not transparent.

For active scan (I am referring to an administrator-defined daily active scan here) one can choose from the options below:

 

 

 

 

.Brian's picture

Yes, appears to be the case. There are many more options available in the scheduled scan as opposed to the active/defwatch.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Serengeti's picture

it appears that a defwatch scan does not scan “Well-known virus and security risk locations”, which would account for a much shorter scan duration than a scheduled Active scan. I know that this option is not available in the configuration UI for defwatch scans, but that didn't make me any wiser as to what the defwatch scan actually defaults to.

.Brian's picture

Funny, my defwatch scan took 15 mins yesterday...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ian_C.'s picture

Interesting indeed. Your total files and trusted files numbers stay fairly constant per scan and similar to each other. Just because they are similar number fo files doesn't mean that they are the same files between the two differnet scans.

Another thing to consider is that you can set different exclusions for different scan types in SEP v12. Previously, in SEP v11 exclusions applied to ALL scan types. That too can make a difference.

Please mark the post that best solves your problem as the answer to this thread.
Serengeti's picture

I have seen very similar results on both SEP11 and SEP12.1. The Daily active scan is set without exclusions and to scan common load points and memory. Symantec have pretty much confirmed that a "fully-loaded" scheduled active scan will take 75% longer than a defwatch scan. Case closed from my perspective. It does make my choice of how to configure AV scan policy across various machine types more feasible as I know what each scan actually covers. Up 'til now I believed that defwatch and admin-scheduled active scan did the same.

Ian_C.'s picture

@Serengeti.

Thank you for the feedback. Please mark this thread as answered.

Please mark the post that best solves your problem as the answer to this thread.