Video Screencast Help

How to configure SEP real time scan to detect the virus residing in memory

Created: 16 Sep 2010 | 6 comments

We are using SEP 11 RU6. Often, it detects the virus in the hard drive and either delete it or quarantine it on real time, but left the actual malicous one which already loaded in the memroy behind. So the virus never gotten cleaned. Is this the way SEP real time scan working? Or we mis-configure anything?


Comments 6 CommentsJump to latest comment

yang_zhang's picture

If you enabled SEP's auto-protection, the risk on memory will be detected automatically.

You can refer to the KB:

And, you can install Proactive Threat Protection on your client too.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
pete_4u2002's picture

from the administrator guide, administrator defined scans memory not the AP.

"Administrator-defined scans are the antivirus and antispyware scans that detect known viruses and security risks. For the most complete protection, you should schedule occasional scans for your client computers. Unlike Auto-Protect, which scans files and email as they are read to and from the computer, administrator-defined scans detect viruses and security risks. Administrator-defined scans detect viruses and security risks by examining all files and processes (or a subset of files and processes). Administrator-defined scans can also scan memory and load points."

From the link , it does not say it scans memory

Auto-Protect scans include the following types of scans:

  • File System Auto-Protect scans

  • Auto-Protect email attachment scans for Lotus Notes and Outlook (MAPI and Internet)

  • Auto-Protect scans for the Internet email messages and the attachments that use the POP3 or SMTP communications protocols; Auto-Protect scans for Internet email also include outbound email heuristics scanning

VSK's picture

I do not  think, real time scan can do that...what you could do is to configure a scheduled scan....


symsec's picture

Thank you all. I know scheduled scan can do it. But I want the real time proactive protection.

Yang_Zhang, does Proactive Threat Protection detect the virus in memory at real time? We have it installed on all workstations, but apparently it doesn't work as it supposes to. Do you have any KB for how to set PTP?


Rafeeq's picture

Proactive Threat Protection includes TruScan proactive threat scans, which make sure that your computer has zero-day attack protection from unknown threats. These scans use heuristics to analyze a program's structure, its behavior, and other attributes for virus-like characteristics. In many cases it can protect against threats such as mass-mailing worms and macro viruses. You might encounter worms and macro viruses before you update your virus and security risk definitions. Proactive threat scans look for script-based threats in HTML, VBScript, and JavaScript files.

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

pete_4u2002's picture

PTP is behavioural based scanning and it scans if it is installed.

Q: Why does Proactive Threat Scan not detect test samples on server operating systems?
A: Currently Symantec Endpoint Protection 11.0 does not support the use of Proactive Threat Scan (Heuristics) on server operating systems.

Q: Why does Proactive Threat Scan not quarantine all threats it detects.
A: Proactive Threat Scan monitors specific and special directories to determine if it is a definite threat and does not remediate all detections.