Endpoint Protection Small Business Edition

 View Only

  • 1.  SEP 12.1.2: Scan logs issue

    Posted Jul 25, 2013 06:10 AM

    Hey guys,

     

    We tried to pull scan logs on the monitors to find out if the scheduled scans really do work, two machines status was canceled, how can we know if the cancelled scan was from scheduled or it was  manual scan by the user and was just cancelled by the user itself?

     

    I hope someone can give me a quick answer, my boss is currently waiting while I'm searching the console too.

     

    Thanks,



  • 2.  RE: SEP 12.1.2: Scan logs issue

    Posted Jul 25, 2013 06:14 AM

    There isn't a way unless it matches the time when your scheduled scan is supposed to start. That would be the only giveaway.

     



  • 3.  RE: SEP 12.1.2: Scan logs issue

    Posted Jul 25, 2013 06:22 AM

    Yeah I saw that too,

     

    our scheduled scan is 12, but we saw the cancelled scan at around 2, all we need to know now is if the cancelled scan is a manual scan or the scheduled one.

     

    Thanks,



  • 4.  RE: SEP 12.1.2: Scan logs issue

    Posted Jul 25, 2013 06:41 AM

    Schedule scans does not pop up a window. so that you can snooze and cancel ( Unless you  have specified it under admin scan options in SEPM)

    Users wont be able to cancell if the above options are not enabled. if he tries to kill ccsvchst.exe it will give access denied as tamper protection is enabled.

    All your admin defined scan will be under HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\5df13630-79f7-4c70-002b-16b8952f5533 ( name can be any hexadecimal name )

    if you find more than that then user has a scan defined and it was cancelled by the user.

    (check the time as well)

     



  • 5.  RE: SEP 12.1.2: Scan logs issue
    Best Answer

    Trusted Advisor
    Posted Jul 25, 2013 06:49 AM

    Hello,

    There is no way to check from SEPM, specifically if the Cancelled scan was a "Scheduled scan" or a "User Manual Scan".

    However, you chan check the same from Local Machine.

    Could you check latest logs on the local SEP client machine - 

    C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Logs\AV

    OR 

    Check the Scan Logs from the client machine- 

    1) Open the SEP client GUI

    2) Click on View Logs

    3) Click on View Logs next to Virus and Spyware Protection.

    4) Click on Scan Logs.

    When scan is started the files are scanned, if machines are turned off or scan is interrupted during a scan.

    The registry keys are set for missed event so that this scan be carried out  once machines are back. However sometimes the interface gets stuck with current status and never gets updated like Cancelled, Paused etc.

    If scan was running as per the interface then you cannot run another scan, it would say, it's queued as current a scan is active.

    Scan status on SEPM monitor show as scanning, while action has completed in SEP client

    http://www.symantec.com/docs/TECH199914

    Interpreting the log files for Symantec AntiVirus Corporate Edition and Symantec Endpoint Protection

    http://www.symantec.com/docs/TECH100099

    Hope that helps!!!



  • 6.  RE: SEP 12.1.2: Scan logs issue

    Posted Jul 25, 2013 09:36 PM

    Yeah you always help me,.