Endpoint Protection

We're testing the Symantec Firewall on a bunch of computers.  Nearly every day over the past week or so, we have moved a handful (20-80) machines from one group to another.  Each time, the groups have the exact same shared AV policy, but different firewall policies.  The past 4 tests have gone great.  Today, when we moved computers into the 5th group, many (perhaps all - not sure yet) machines kicked off an AV scan.  Again - we're using a shared AV policy, so the AV policy did not change even when the groups changed.

Any ideas why?

We have seen similar problems in the past with switching locations within the same group, but that involved different AV policies.

A few more data points:

• These machines are scheduled to scan on Saturday and Tuesday mornings at 2 am
• These machines will retry the scan for 1 day if a scan is missed
• These machines had completed their Tuesday scan, most between 3am & 8am.
• When the scan kicked off after moving them to a new group (at noon), it reported it was performing the weekly Tuesday scan.

I would really like to better understand how SEP keeps track of when a scan has run and how it checks that when it thinks it should run a scan again.  

All insights greatly appreciated!

Paul

At the moment the cause is unknown.

Make sure to turn off start up scans.

If that does not resolve the issue:
Delete scheduled scan defined in the policies.
Save.
Edit policy.
Add scheduled scan back into the policy (from template or create from scratch).
Apply policy to the affected client group.

Let me know if this works.

Regards,
Thomas

Start up scans are off.

Part of the problem is I can't reliably reproduce it.  We moved about 80 people today from two groups into one group.  Each group had some people who experienced the problem and some who didn't.

Can someone at Symantec explain the process SEP follows (or intends to follow) when it checks to determine whether or not to run a scan or not?  Perhaps the collective intelligence of this group can help figure out what is going on.

I am having the same issue with my clients as well.  As soon as a client is moved to a new group - a full scan kicks off.   Has this been resolved?

Think it might have something to do with 'missed event'?
PC was not flagged as having a scan done in that particular group so a scan was kicked off..

I have a strong suspicion that it happens 100% of the time if you are within the retry interval for Missed Scheduled Scans, then it will happen.

For example, the scan below is scheduled for 2am on Sat. with a 1 day retry.  If I moved a computer on Saturday afternoon, within that 1 day retry, I am pretty confident another scan would kick off, even if both groups use the same shared policy!