Endpoint Protection

Hi,

Although SEP is meant to load at system start-up, is there a way to turn it off permanently so it doesn't get enabled after rebooting?  It was loaded onto a number of Windows XP (and one Windows Server 2008) boxes to be used in a secure environment due to Information Assurance requirements.  However, since this network isn't connected to the internet it isn't necessary to have it continually scanning for viruses since they could only be introduced by portable media such as disks or jump drives.  We'd like to keep it loaded on these boxes so we can occasionally check for viruses after loading new software applications or copying over new files,but don't want it enabled for periodic scanning since it interferes with our simulations and occasionally locks them up when both try to access the same files.  We've been manually disabling these computers one by one, but have to do this every time they are rebooted which get tedious considering there are 10 computers with SEP loaded on them. 

In short, is there an easy solution for this short of uninstalling SEP?

In the AV policy, under Auto-Protect, de-select the checkbox and make sure the lock is open. This will turn off Auto-Protect and give you the option to enable/disable.

This sounds similar to what we've been doing, but it keeps getting re-enabled when the computer is rebooted.  We've been disabling it by first pressing the "Advanced" button and deselecting "Enable after XX min", closing out that window, then deselecting Auto-Protect.  This works fine until the computer is rebooted and which re-enables it.

We've been using the "Connection Settings" button to do the above-described procedures.  Is there another way to get to AV Policy? 

So even if you turn off Auto-Protect via the policy, it re-enables upon reboot?

You should just be able to right click the icon and select "Update Policy"

You can also set the SEP services to Disable in the Services.msc config.

We'll look into it shortly once we can get back on the system and let you know what we find.

THX

"..However, since this network isn't connected to the internet it isn't necessary to have it continually scanning for viruses since they could only be introduced by portable media such as disks or jump drives. ..."

There are other ways such as someone bringing in an infected device such as a laptop.  That happened to us several times where one "I don't need anti-virus as it slows down my computer.." person plugged his laptop into the network and caused $10 million in damages, lost time, etc.  Just something to think about.

That's why we don't want to uninstall it.  Given the security requirements it wouldn't be that easy to do something like this without malicious intent.  Anyway, we hope to get back on the system tomorrow night to see if any of these recommendations work.  THX

Assuming that the client (computer running the client) is managed (connects to a SEPM server for control), as someone mentioned you can use policies to turn off auto protect right from a policy.  As Brian pointed out, after you update the policy to turn off AP, you can go to the server client and right-click on the icon and select "Update Policy"  (or just wait...).

I think I'm misreading what your original post was (kindly excuse me).  Are you trying to turn off auto protect (checks for viruses every time a file is accessed or modified or are you trying to turn off the periodic full scan (scheduled scans)?  You can do both from a policy if the clients are managed.  If clicking on the system tray icons are grayed-out, that means the little lock icons are "closed" in your policy so you can't change the settings from the client.  My suggestion would be to have these few machinges in a SEPM group by themselves and disable inheritance for the Anti-Virus Policy and create a new one.  Also, I believe there is a setting to turn back on Auto-Protect after a certain time if it gets turned off so you may want to look out for that.  The policy should be the best way to make sure things don't get changed after rebooting if you made a local change.

Hope some of this helps.

We found out which computer was the server, brought up the SEP Management software and was able to permanently disable Auto-Protect by modifying the AV policy.  What we were doing before was trying to turn it off one at a time using the SEP software loaded onto each client and wondering why it would come back on after reboot.  We're just learning how the network is configured and have never done this before (obviously).  Anyway, a combination of reviewing some network training materials along with your recommendations solved the problem.   Thanks for the help,