Video Screencast Help

Disabling triggered scans in SEP 12.1

Created: 08 Sep 2011 • Updated: 08 Sep 2011 | 14 comments
ixtlanian's picture

I do not have any scans in my clients. Both default scans were deleted. However every day an unnamed scan starts automatically. Based on the article Types of Scan in SEP 12.1 I am guessing that this scan is a triggered scan, and the trigger is the new definitions download.

How can I completely disable these triggered scans on all clients, including unmanaged clients? It is extremely irritating that I cannot see any option for it in the client interface and that this scan is not listed on Scans page.

Comments 14 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

I would prefer checking Symantec Article:

About the types of scans and real-time protection

http://www.symantec.com/docs/HOWTO55226

You may be correct, it could be Triggered Scan (Active Scan) when Virus definitions arrive. 

However, these could be a Start-up Quick scan aswell, which gets triggered when the Machines get restarted.

You could disable both from SEPM.

Check below:

 

Incase, if the clients are Unmanaged, check below:

 

Hope that Helps!!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ixtlanian's picture

Mithun,

I understand that you are trying to churn out as many responses as possible per day being a Symantec Enterprise Technical Support Analyst, but it it really offensive that you quickly inserted the canned response without even spending any time to actually read my issue.

Your response is irrelevant, ridiculous and offensive for several reasons:

  1. I clearly stated at the very beginning of the first line that "I do not have any scans in my clients. Both default scans were deleted."  And yet you recommend that I delete two default scans. How more clear can I explain that I already deleted them?
  2. I clearly provided the article I read on your KnowledgeBase and yet you send me to another article, which has virtually the same information as the one I used. How does it help me? Or are you required to include some how-to article just in case?
  3. You state in your response that "You may be correct, it could be Triggered Scan (Active Scan) when Virus definitions arrive." Dear Mithun, I write to Symantec not for "maybe" or "might". I can get that much of an answer from an astrologist. When I report the issue, I expect some detailed troubleshooting steps that will determine 100% whether I am or I am not correct and help me figure out the remediation steps.

I would  really appreciate if you spend more that 10 seconds of your time and respond to my question properly. And just in case it is still not very clear, my short question is:

How can I disable TRIGGERED scans in SEP 12.1 (specifically in unmanaged client).

ixtlanian's picture

Here's the screenshot of this unknown scan results. There could be up to 4 such scans per day.

SEP 12.1 Unknown Scan.PNG
Maver's picture

IX...I upgraded 2 "Unmanaged" 11.06 clients that had NO scheduled scans at all to 12.1

Both clients then had scans that ran daily about the same time as your screen shot.

I found some article that said to uninstall and reinstall the SEP client. That for me worked and I no longer have this "phantom" scan run daily.

Something about upgrading the client without uninstalling the previous version.

Hope this helps

ixtlanian's picture

@ Maver

Thanks for confirming the issue. So I am obviously not the only person on the planet who has this problem.

I just hate when support technicians (who most likely worked with Symantec products less than I did in my life) always try to insult the intelligence of the users who report real bugs by responding with ridiculous and irrelevant answers.

They should at least try to reproduce the issue, troubleshoot it, post it in the Known Error Database and thank for reporting the issue.

Cameron_W's picture

Ixtlanian,

1. The two scan options that Mithun suggested would not have shown up as a scan in the scan for threats section of the client. The fact that you deleted any scans in this area has no affect on these triggered scans running or not, they are options in the registry not displayed in the GUI and the best way to change these options is via policy.

2. It is impossible to give a 100% answer from a short forum post with no logs. But based on your second post with the screenshot it is most likely either a Defwatch quickscan or Defwatch wizard scan of the quarantine. On the client if you go to view logs-> virus and spyware protection->scan log on the right most column will display logged by, I am guessing this will say Defwatch Scan. The quick scan would be resolved by unchecking the run a active scan when new definitions arrive, as suggested by Mithun. The second of which would be resolved by going into your AV/AS policy on the SEPM then quarantine then change the option to "Do Nothing" under when new virus definitions arive.

For a unmanaged client in order to disable the Defwatch wizard scan you will have to make the following registry change below.

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\DefWatchMode=3 (REG_DWORD)

DefWatchMode
value  action
0          Automatically repair and restore files in Quarantine silently
1          Repair the files in Quarantine silently without restoring
2          Prompt user
3          Do nothing

So in this case you would want to set this value to 3. Now these are instructions for a 32bit client, if you are dealing with 64bit its going to be under the Wow6432Node then symantec.

Now I may be incorrect but this is the best answer I can give you with the data provided.

If you want a more detailed analysis of this issue or you want a faster resolution for this issue or any future issues I highly recommend calling in and opening a support case.

If I was able to help resolve your issue please mark my post as solution.

ixtlanian's picture

 

Cameron,

  1. The two scan options that Mithun suggested definitely DO show up in the Scan For Threats section of the client. See his second screenshot (for unmanaged clients). Every unmanaged client vanilla installation of SEP 12.1 has these two scans and I deleted them both. So I am not sure what you mean in your response point #1 and why you mention policy again as I repeated twice that I ask about UNMANAGED SEP 12.1 client.
  2. Your guess about Defwatch Scan is similar to mine, however in the scan log all these scans show as Logged by Manual Scan. This is unmanaged vanilla installation of SEP 12.1 client on Windows 7 x86 and I do not have SEPM, never had this computer connected to SEPM, so no need to mention it again. It would be better if you told me how to enable some debug logging to figure out what triggers this Manual Scan.
  3. Now you point #3 finally gets to my question (somewhat). However, if it was a quarantine scan upon getting new virus definitions, why does it scan 1000+ files? I have exactly zero files in my quarantine, so there should be no such scan.
    Anyways - I tried to do what you suggest, but alas - another bug. It is impossible to change that registy setting. To prevent any further intelligence-insulting suggestions, I did a clean vanilla install of Windows 7 SP1 x86 in test environment, and installed unmanaged vanilla SEP 12.1 client. Still cannot change the setting in registry. Just in case you ask - yes, I know how to run RegEdit under Administrator account, and I know how to check ACL on registry branches to ensure the correct security settings - I do have access, but cannot change that setting. I can change registry in every branch, but not in Symantec branch. So I thought maybe some SEP tamper protection kicked in and I tried to disable SEP client. Hey - yet another bug - the option to disable SEP is greyed out in system tray. I can still disable the client from its GUI, but by this point I am so frustrated by mounting bug collection, that I do not want to proceed until you answer my previous questions clearly and explain all the bugs.
    If you want, I can make video of everything I described - everything is 100% reproducible.

So to summarize - a short list of questions:

  1. Why my "phantom" scans show up as Logged by Manual Scan? How do I troubleshoot this further to determine the trigger?
  2. Would a quarantine scan normally initiate on new definitions if there is nothing in quarantine?
  3. Why cannot I change anything in Symantec branches of registry even with Full Access as Administrator?
  4. Why is option to Disable Symantec Endpoint Protection greyed out when accessed from system tray icon?
ixtlanian's picture

Here are 4 scans I found today:

  1. 1:13:08 PM
  2. 1:31:01 PM
  3. 1:38:02 PM
  4. 1:43:03 PM

4 SEP Phantom Scans

Definitions are not updated 4 times in 40 minutes, are they? 

As a matter of fact there were no new definitions at that time at all, as you can see from the other screenshot.

_Brian's picture

I had the same issue when upgrading from RU6 MP3. Unfortunately, I had to re-install but fortunately, it fixed the issue. I went thru the same steps everyone mentioned above and nothing worked. Got tired of it so I did the re-install. It probably is a bug but I don't have time to sit on the phone. If you do, I would suggest opening a case.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

The unscheduled scan would be caused by Scans left behind during migration process.

Try this steps:

1. Open regedit

2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\[-GUID-]\Custom Tasks

3. For each [-GUID-], backup and then remove legacy scan registry keys

 

NOTE: LastStart value can be use to identify which scans need to be removed. If there is no scan scheduled, all scans with LastStart value (= already run) can be deleted.

It is also possible to identify the right GUID value, based on identity used to run the scan (can be found in SEP Scan log).

Reference: http://www.symantec.com/docs/TECH171212

 
Also, check this Article below: 
 
How can I stop an unwanted scan on a Symantec Endpoint Protection (SEP) 12.1 client.
 
 
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Luc Granger's picture

I have the same problem on ALL the computer that I installed the 12.1 version (unmanaged), from scratch or update.

I found the that the 2 scans are for each users of the computer.

So, you have to delete the startup scan for each user using that computer, and it work!

Should have and easier way, because if a new user log to the computer...the scan start again.

We need a fix quick!

ixtlanian's picture

Luc,

What you described is unrelated to the issue I described.

If you actually read all I wrote above, you will discover that I am not talking about 2 default start-up scans. In my case if after deleting them I have phantom scans.

pkrohnert's picture

ixtlanian - I'm having the exact same problem on a number of computers here as well.  First, thank you for confirming that I'm not crazy - I was sure I was missing a scheduled scan somewhere, but I still can't find anything.  Your detailed responses were much appreciated, and I'm right there with you on the frustration scale.

Second, I've tried all the same things that you have, and I still haven't had any success getting the scans to stop.  The registry edit most recently suggested by Mithun didn't help, since there weren't any entries listed in the registry key listed.

I haven't tried the uninstall / reinstall, but I'm considering it, and doing a registry comparison before and after, so that if the scans stop occuring, I can see if there's an obvious registry change.

Has there been any other headway made on this issue?

Thanks...

jamartin's picture

I followed Luc's suggestion and looked in the other profile on the pc and found the the scan was setup there!  I have been fighting this on multiple computers for months.  Thanks for the fix!