Endpoint Protection

 View Only

  • 1.  Running Local Custom Scan on Managed Client

    Posted Jul 28, 2015 10:27 AM

    I have a server (Windows Server 2012 R2) with 3 large hard drives (in total about 1.5TB of data), and a policy that runs a full scan every week. The scan predictably never finishes, as it is taking 24 hours+ and then locking up, and the policy is not ideal for this particular server.

    I have put this server into a separate group that does not inherit the scan policy and has no administrator-defined scans via SEPM. It appears that you cannot customize a SEPM defined scan to only run on one specific drive, only preset folders for some reason.

    So instead, from the local agent I defined 3 scans, one for each drive that happen on different nights, so as to the split up the workload.

    However, when I went to check the logs, none of the locally-defined scans have run. If I have to execute these manually every week it defeats the purpose of a schedule.

    How can I troubleshoot this? Are locally-defined scans overridden on managed clients?

     



  • 2.  RE: Running Local Custom Scan on Managed Client

    Posted Jul 28, 2015 11:26 AM

    What is the exact version of SEP it's running? Local scans should not be overridden and should run per the timeframe you've set.

    Is there any error message in the System log at the time the scan is scheduled to start?



  • 3.  RE: Running Local Custom Scan on Managed Client

    Posted Jul 28, 2015 12:11 PM

    SEPM is 12.1.4104.4130 and the client is 12.1.4112.4156.

    The first scan was scheduled to run at 7PM on 7/27, and the second at 8PM on 7/27.

    In the system log there is just a gap from 3:20PM (virus definition file loaded) to 8:23 PM (Connected to SEPM) with nothing logged in between. I don't see an errors or warnings relating to scan activity.



  • 4.  RE: Running Local Custom Scan on Managed Client

    Posted Jul 28, 2015 12:34 PM

    I may end up creating a Windows scheduled task for each, but I'd like to see it work within EPP



  • 5.  RE: Running Local Custom Scan on Managed Client

    Posted Jul 28, 2015 12:52 PM

    Some times the logs will not be shown in the client logs viewer, if the logged on user is not an administrator. Just to confirn, check the event viewer under "Windows Logs -> Application Logs". The Event ID for a scan started by SEP is "3". The event ID for a scan completed by SEP is "2". Look for these even ID on the event viewer of the server.

    OR

    Check the scan log in SEPM for the scheduled date and look for logs from this particular server.



  • 6.  RE: Running Local Custom Scan on Managed Client

    Posted Jul 28, 2015 02:46 PM

    Thank you for the replies.

    Looking at the server's logs I see the last Event ID "3" logged yesterday was at 3:30 PM, so it does not appear to have started the scheduled scans at 7:00 and 8:00 at all. The SEPM scan log shows the same.



  • 7.  RE: Running Local Custom Scan on Managed Client

    Posted Jul 28, 2015 02:59 PM

    You could enable VPDebugging. This will enable some advanced logging as well show what's happening around the time the scan is supposed to start:

    How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0 and 12.1



  • 8.  RE: Running Local Custom Scan on Managed Client

    Posted Jul 28, 2015 08:05 PM

    Can you post a screenshot of the Schedule page of the custom scan that you created on the server?

    SEP GUI -> Scan for Threats -> right click the scan from the list and select "Edit" -> Scan Schedule



  • 9.  RE: Running Local Custom Scan on Managed Client

    Posted Aug 17, 2015 10:05 AM

    Here are two of them, neither of which will run. I have tried through Windows Task Scheduler, which has also failed to perform the scans.

     

    EPP_1.PNG

    EPP2.PNG