I 've already used process monitor to track.
I agreed with you that administrator defined scans differ from autoprotect.
when I run a scan manually, "ccSvcHst.exe" will cause many disk I/O read bytes.
but when autoprotect(SRTSP?) is scanning my non-system partitions, "system" will cause many disk I/O read bytes.
and i check for autoprotect settings, and the only one i think related to my issue is "files high-speed cache".
I notice that there is a setting "scan high-speed cache when new definitions arrived".
since I start up my PC ervery day, and autoprotect will scan my non-system partitions after a few minutes. so I think maybe the setting metioned above that make this happen. after this, i reboot my PC, and nothing will happen.
but I read the explanation about "high-speed cache", it says autoprotect won't scan those files were scanned before and marked as clean ones. so why does autoprotect scan those files again and again?
I can see which files from SEP clients main control panel by viewing "file system autoprotect summary".
now I've already reinstalled my SEP clients. because i run SEP_SupportTool and got some errors.
today morning, I noticed that "system" still caused many disk I/O read bytes. but at that time I am away from my PC, so I can not track if the issue still exists.
and enable debug only can capture On-demand or scheduled scans. I think it won't log autoprotect scan.
I will keep watching of my PC, and I will try to disable/enable the setting "scan high-speed cache when new definitions arrived", to see it does relate to my issue.
thanks for your Info.