Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Scan omissions

Created: 20 Mar 2010 • Updated: 24 May 2010 | 13 comments
This issue has been solved. See solution.

Can someone explain to me why there are scan omissions during scheduled FULL scans? I understand there is an issue with busy and or compressed files. For example, on a client one scheduled scan reported 2,848,810 files and the other 1,085,105 files; a difference of 1.7 million files!?

Thanks!

Comments 13 CommentsJump to latest comment

Grant_Hall's picture

Hi Rick,

Can I ask what product your running SAV or SEP? Also I am a little confused about your question because you should never be seeing 1.7 million files as "files omitted". So my question is does it actually say that 1.7 million files were skipped or are more files simply being scanned on some systems but not others. If the second is true it might just be that the machine has that many more files in it. This could account for the difference in the number of files scanned. It might also be helpful to know which report you are seeing this information in.

Thanks Rick,
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

rickd's picture

Thanks for the reply Grant-

SEP MR5...Here is a copy of scheduled scans for the last 3 weeks. I guiess it doesn't state omissions per say but what else could it be? I haven't drastically removed files from my PC; snapshot from log file below.

Started On Completed Computer Status Total Files Infected Logged By
3/2/2010 8:00 3/2/2010 12:36 mycomputer Clean 2848810 0 Scheduled scan
3/9/2010 6:15 3/9/2010 7:16 mycomputer Clean 178263 0 Scheduled scan
3/16/2010 8:31 3/16/2010 9:25 mycomputer Clean 1085105 0 Scheduled scan
Grant_Hall's picture

Thanks for posting this, very clear now. At first  I thought you were talking about the difference between multiple computers. Please check out Vikram's post below and let us know if there were any missed file warnings in the event viewer. 

Thanks!
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

pete_4u2002's picture

there could be decompressiung error while extracting. May be vpdebug will inform why the number of files scanned are less in number.

Is there any exclusion in the last scan and the present scan?

rickd's picture

For debugging skipped files in SEP 11, what flags should I set? Thanks!

Vikram Kumar-SAV to SEP's picture

All skipped file will show up in Event Viewer App logs.
With Could not scan warning

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

rickd's picture

Thanks! This explains a lot. From a fast pass of love files it looks like all decomposer engine issues. I've looked for SEP info regarding this but find Enterprise related info.

Thanks for all yout time!

Grant_Hall's picture

Here are some of the more common reasons you see these errors

  • The archive is encrypted and password protected
  • The archive is compressed in a format unknown to the Decomposer engine
  • The archive has additional compression layers that exceed the threshold set for the scan
  • The hard drive used by Decomposer does not have adequate space to properly expand and scan the contents of the archive

If any of these seem like they could be the issue please let us know. My guess is that the only one that makes sense is the last one simply because of the massive amounts of files you are seeing skipped. However it could also be due to the files being in use (unlikely due to amount of files) OR your virus definitions being corrupt (possible).

How to clear out corrupted definitions for a Symantec Endpoint Protection Client manually.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/691fb01f62f2a700882573c2006d6de7?OpenDocument

hope this helps
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

SOLUTION
rickd's picture

Thanks Grant-

I have 106 gig free on my drive and looking at event logs there are a few thousand files getting skipped by decompose engine. Deducing, it must be corrupted defs. Argh! This is nearly a fresh install; only 2 months old. I wonder how often defs get hosed? I wonder if I need to be looking at an alternative solution to SEP

Grant_Hall's picture

I can't say for sure how often the defs get corrupted. We see it maybe once a week or so in the forums but again this is a help forum that users only frequent when they are experiencing an issue so that is not a very good estimate. Personally on my two computers that run SEP it has never happened (almost 2 years). The process is fairly quick to get it cleared up, it should take less than five minutes or so. 

I posted the guide above. Please come back and let us know how it turned out.

Thanks
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

Vikram Kumar-SAV to SEP's picture

Reason for files getting omitted

"Could not scan [#] files inside [path][filename] due to extraction errors encountered by the Decomposer Engines" during a scan

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002073015235648

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

mxu's picture

I also noticed manual scan and shceduled scan have difference numbers of scanning files on my machine.

Is anybody else expeirencing the same problem?

Grant_Hall's picture

Hi MXU,

It would be great if you could open a new thread on your issue. This one is already solved and will be ignored by most users in our forums. If you feel this thread is related then simply provide a link back to it. In your new post you should mention if you already tried the advice given in this thread.

thanks
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )