Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Scheduled scan on groups

Created: 18 Nov 2013 | 24 comments

Hi,

How can we schedule scan on particular groups?

Can we exclude one computer from that group and schedule it separately instead of running remote scan command manually ?

Scenario :

two groups x and y

i want to run schedule scan only on x group on friday at 11pm  and on y group on sat 8 am.

Thanks

Operating Systems:

Comments 24 CommentsJump to latest comment

.Brian's picture

Yes, you need to break inheritance on the group and assign a new AV policy to it with the scan schedule you want to run.

See here

https://www-secure.symantec.com/connect/forums/dif...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

GeoGeo's picture

Yeah as Brian said move the machine into a secondary group turn off inheritance and apply a new policy whith the scanning schedule you want configured to it.

I'd have liked Brians comment instead but symantec seem to have removed our thumbs up sad

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

Beppe's picture

Hello,

Q: How can we schedule scan on particular groups?

A: yes, once you select a group, go to its policies tab, the scheduled scans can be set in the AV policy for that group, however just note:

- if the policy name is followed by [shared], it means the same policy is used by other groups, if you edit it, the same will be applied to the other groups which are using that policy; if you want to edit it, you need to select "create non-shared policy from copy" after the double click to open it

- if the policy name has no label, it means it is inherited from the parent grop, to edit it, you need to remove the inheritance for that group or edit that policy from the parent group's view (or from them main Policies panel)

- if the policy name is followed by [non-shared], this policy is assigned only to this group you can edit it without affecting any other group

Q: Can we exclude one computer from that group and schedule it separately instead of running remote scan command manually?

A: no you can't change settings by client, only by group, that is, if you want to customize the settings for a single client, you need to create a dedicated group for it.

Regards,

Giuseppe

suren424's picture

After the scheduled scan starts on a client machine ,is there a way to cancel/stop the scan ?

Scenario :

I scheduled scan on a group ,except one computer all other comptuers  have been scanned successfully.

when i see the scan report , it says scan started but no other details about that machine.

Attached the report for reference.

Thanks.

scan report.jpg
.Brian's picture

Was the scan prematurely stopped? Have you tried starting another one?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

suren424's picture

logged into SEPM to see the status of scheduled scans  ,all other scans were successfull except for this server.

I tried starting the scan locally on the client computer ,but it says "a scan is already in progress,if you want the scan can be queued". 

If we run another scan ,when a scan is already running ,will it start the new scan and  i think there would be performance issues .... right ?

thanks

.Brian's picture

Sounds like something is stuck. Was the machine rebooted to see if that clears it up?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

suren424's picture

No Brian ,machine was not rebooted and infact that is one of the critical servers.

can we run other scan command from SEPM ?

.Brian's picture

Check the Scan log on the client and ensure one isn't already running. If not, you can kickoff another one.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

the scan is progress from the above statement, check the scan log on the server.

GeoGeo's picture

if you want to delete this scan 

start

run

type regedit.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans

Every alphaneumaric folder you see there is a scan setting.

You can check if there are any unwanted scans saved in registry and remove them if needed.

https://www-secure.symantec.com/connect/forums/scan-log-shows-multiple-old-scans-still-running

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

AjinBabu's picture

Hi, 

Break the inheritance of the particular group and create sperate virus and spyware policy and assign it to the required group.

Regards

Ajin

suren424's picture

Thanks everyone.we need to exclude some file extensions  from being scanned.

for that i edited the default exception policy.  can we assign this policy to the same groups on which the inheritance is removed or is there a way to exclude these extensions in the same firewall policy of those groups.

If we exclude those files extensions from the client side ,which one vl take precedence ?

Thanks again.

.Brian's picture

Yea you can apply the same policy to that group in which inheritance is removed.

Exclusions on the client side will also work in addition to the ones you added from the SEPM

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

suren424's picture

as said before only one policy can be applied to a group .. if we apply the exception policy to that groups,will we have to remove the existing policy/vl that remove automatically. I want both the policies.

I had this doubt about precedence beacause of the below line from the symantec article.What does this mean ?

Any exception that you create takes precedence over any exception that a user might define.

.Brian's picture

You cannot apply multiple policies to a group, it's one or the other.

That's correct. The SEPM always take precedence. However, if you give users the ability to add exceptions on the client side those exceptions will just be added in addition to what is set in the SEPM. This isn't considered a policy change, it's jut users having the ability to add an exception. If a setting was changed by the user different from what's in the SEPM, then next time a heartbeat occurs, the client will grab that policy again from the SEPM and override the change made by the user.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

suren424's picture

So,how should i exclude particular extensions files from scheduled scans on a particular group ?

My situation is :

I would like to exclude .vsp files on a particular group .

thanks.

.Brian's picture
  1. Break inheritance on this group
  2. Create a new Exception policy which excludes the .vsp extension from scans
  3. Assign new Exception policy to this group

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

suren424's picture

To assign the antivirus and spyware policy on the server groups ,i broke the inheritance on the server group and asigned the AV policy.

Now would like to exclude only few extension files as we are also using symantec backup software to backup those servers.

My requirement would be :

1)a separate AV policy for the server groups  -- this is already done.

2)scheduled scan should skip the few file extensions.

Is there a way to do it in the existing AV policy or the scheduled scan settings.

Thanks.

.Brian's picture

You can use the existing policy but you need to make it non shared so you can change it with out affecting other groups. See here:

http://www.symantec.com/docs/HOWTO80911

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

suren424's picture

yes _Brian. i already did that.

  1. Broke the  inheritance on the groups.
  2. Create a new policy and assigned to that groups
  3. created scheduled scans on those groups and going on fine.

Now would like to exclude few extension files while the scan is going on. i searched all the settings in the policy but could not find one.

could you help me in finding those settings.

Thanks.

.Brian's picture

See here

Excluding file extensions from virus and spyware scans

Article:HOWTO80923  |  Created: 2012-10-24  |  Updated: 2013-10-07  |  Article URL http://www.symantec.com/docs/HOWTO80923

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

suren424's picture

Confused !!!

For the exceptions policy i need to go to the policies tab and edit the default exception policy ... right ?

but again can we assign this policy to that group ,if we already have AV policy as non-shared .

Now i have the the AV policy as Non-Shared ,where to change and exclude the file extensions in the scans ?

.Brian's picture

Yes, you can just edit the default one or create a brand new one and assign to the group you broke inheritance on. Just know that if you edit a shared policy it will affect all the groups its assigned to.

You set the exclusions in the Exclusions policy. It's separate from the AV policy.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.