Video Screencast Help

SEP 12.1.2: Scan logs issue

Created: 25 Jul 2013 • Updated: 25 Jul 2013 | 5 comments
D@ry1's picture
This issue has been solved. See solution.

Hey guys,

We tried to pull scan logs on the monitors to find out if the scheduled scans really do work, two machines status was canceled, how can we know if the cancelled scan was from scheduled or it was  manual scan by the user and was just cancelled by the user itself?

I hope someone can give me a quick answer, my boss is currently waiting while I'm searching the console too.


Operating Systems:

Comments 5 CommentsJump to latest comment

ᗺrian's picture

There isn't a way unless it matches the time when your scheduled scan is supposed to start. That would be the only giveaway.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

D@ry1's picture

Yeah I saw that too,

our scheduled scan is 12, but we saw the cancelled scan at around 2, all we need to know now is if the cancelled scan is a manual scan or the scheduled one.


Rafeeq's picture

Schedule scans does not pop up a window. so that you can snooze and cancel ( Unless you  have specified it under admin scan options in SEPM)

Users wont be able to cancell if the above options are not enabled. if he tries to kill ccsvchst.exe it will give access denied as tamper protection is enabled.

All your admin defined scan will be under HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\5df13630-79f7-4c70-002b-16b8952f5533 ( name can be any hexadecimal name )

if you find more than that then user has a scan defined and it was cancelled by the user.

(check the time as well)

Mithun Sanghavi's picture


There is no way to check from SEPM, specifically if the Cancelled scan was a "Scheduled scan" or a "User Manual Scan".

However, you chan check the same from Local Machine.

Could you check latest logs on the local SEP client machine - 

C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Logs\AV


Check the Scan Logs from the client machine- 

1) Open the SEP client GUI

2) Click on View Logs

3) Click on View Logs next to Virus and Spyware Protection.

4) Click on Scan Logs.

When scan is started the files are scanned, if machines are turned off or scan is interrupted during a scan.

The registry keys are set for missed event so that this scan be carried out  once machines are back. However sometimes the interface gets stuck with current status and never gets updated like Cancelled, Paused etc.

If scan was running as per the interface then you cannot run another scan, it would say, it's queued as current a scan is active.

Scan status on SEPM monitor show as scanning, while action has completed in SEP client

Interpreting the log files for Symantec AntiVirus Corporate Edition and Symantec Endpoint Protection

Hope that helps!!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

D@ry1's picture

Yeah you always help me,.