Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Multiple analyses on scheduled scan

  • 1.  Multiple analyses on scheduled scan

    Posted Jul 18, 2011 02:12 AM

    Hello all,

    We're using SEPM and SEP clients on release 11 RU6MP3. I've got a group with some servers and a scheduled scan on this group (Weekly, on Sunday starting 21h00 and with a starting window of 9h, random start is check) :

    I realise that some servers scan up to 4 times in the starting window. Like this one :

     

    1310936583 17/07/2011 23:03 17/07/2011 23:24 Terminée SRVDC04
    1310938627 17/07/2011 23:37 17/07/2011 23:51 Terminée SRVDC04
    1310940544 18/07/2011 00:09 18/07/2011 00:23 Terminée SRVDC04
    1310941745 18/07/2011 00:29 18/07/2011 00:43 Terminée SRVDC04

     

    Can someone explain to me why this happen ? And how to remediate ?

     

    thanks all.

     

    Solution :

    This is a bug from 11 RU6MP3. This bug is solve in RU7 :

    Randomized scans run multiple times and are not consistent

    Fix ID: 2196367

    Symptom: On Windows 7, a weekly scheduled scan is configured with a randomization window. The

    scan may run multiple times within that window.

    Solution: The randomized scan logic was optimized to prevent multiple scans from running in the same

    time window.



  • 2.  RE: Multiple analyses on scheduled scan

    Posted Jul 18, 2011 02:50 AM

    can you  check this discussion plz

    https://www-secure.symantec.com/connect/forums/randomize-scan-start-time



  • 3.  RE: Multiple analyses on scheduled scan

    Posted Jul 18, 2011 03:32 AM

    Hi Rafeeq

     

    As I can read in documentation :

  • If a resumable scan finishes and time remains in the specified time frame, the scan stops. The scan does not start again until the next scheduled occurrence.

    •  

    The C: Drive of the server have 27 254 files, and the scan look for 40 372 files each time !

    The scan is a weekly scan and the window is 9 hours, so if the first scan can't finish in the window it should restart the next week, not 10 mintues after.



  • 4.  RE: Multiple analyses on scheduled scan

    Posted Jul 18, 2011 04:18 AM

    Do you have any location specific policy? was any of the scan terminated? can you check last weeks report and check if that also has the same symptoms



  • 5.  RE: Multiple analyses on scheduled scan

    Posted Jul 18, 2011 04:29 AM

    There is effectively a location. But the location is base on IP addresse, so server didn't change of location (fixe IP).

    The policy is a new one, so no report for last week.



  • 6.  RE: Multiple analyses on scheduled scan

    Posted Jul 18, 2011 05:58 AM

    this is what I found on location so asked you 

    http://www.symantec.com/business/support/index?page=content&id=TECH131601



  • 7.  RE: Multiple analyses on scheduled scan

    Posted Jul 18, 2011 06:09 AM

    I can't open the link.



  • 8.  RE: Multiple analyses on scheduled scan

    Posted Jul 18, 2011 01:39 PM

    The C: Drive of the server have 27 254 files, and the scan look for 40 372 files each time !

    DCourtel, are you scanning compressed files? If so, that could explain the file count.

    I think we need more information as to what else is or might be happening at this time on this system: event log messages, other SEP system messages, system backups, etc.

    sandra



  • 9.  RE: Multiple analyses on scheduled scan

    Posted Jul 20, 2011 02:36 PM

    Hi Rafeeq, I'm aware of this behaviour. I have already seen this happen in case of laptop switching location when user unplug network cable to go to meeting room. Then SEP change from 'intra VPN' location to 'Out VPN' location. But in this situation I was seeing event in the event log of SEP client indicating location change.

     

    In this issue, it's about servers (so no IP change) and there is no event in the event log indicating a location change.

    In doubt, I assign the same scan policy to these two location for this group. I will see next Monday.



  • 10.  RE: Multiple analyses on scheduled scan

    Posted Jul 20, 2011 04:08 PM

    Hello Sandra, well done. My scan policy effectively search for compressed files and that explain the difference :

    The last scan show the right number of files. I've uncheck 'Scan compressed files' and manually start the scheduled scan.



  • 11.  RE: Multiple analyses on scheduled scan

    Posted Jul 21, 2011 11:50 AM

    Happy to help.

    sandra smiley



  • 12.  RE: Multiple analyses on scheduled scan

    Posted Jul 23, 2011 12:48 PM

    We continue to experiencing multiple scan where only one is expected !