We're testing the Symantec Firewall on a bunch of computers. Nearly every day over the past week or so, we have moved a handful (20-80) machines from one group to another. Each time, the groups have the exact same shared AV policy, but different firewall policies. The past 4 tests have gone great. Today, when we moved computers into the 5th group, many (perhaps all - not sure yet) machines kicked off an AV scan. Again - we're using a shared AV policy, so the AV policy did not change even when the groups changed.
Any ideas why?
We have seen similar problems in the past with switching locations within the same group, but that involved different AV policies.
A few more data points:
- These machines are scheduled to scan on Saturday and Tuesday mornings at 2 am
- These machines will retry the scan for 1 day if a scan is missed
- These machines had completed their Tuesday scan, most between 3am & 8am.
- When the scan kicked off after moving them to a new group (at noon), it reported it was performing the weekly Tuesday scan.
I would really like to better understand how SEP keeps track of when a scan has run and how it checks that when it thinks it should run a scan again.
All insights greatly appreciated!
Paul