Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP DefWatch (ActiveScan) Scans Taking WAY Too Long

Created: 22 Mar 2013 | 9 comments

I've noticed this problem after upgrading my user base to SEP 12.1 RU2. It appears that DefWatch scans take anywhere between 30 minutes to 1 hour to complete. This is a quick scan that should only take 2-10 minutes at most, considering it only touches 1,000-2,000 files roughly. I've also attached the vpdebug log as well.

Screenshot of the scan log.

DefWatch.jpg

Operating Systems:

Comments 9 CommentsJump to latest comment

Rafeeq's picture

check if you have any files in the quarantine folder. if there are delete and check the time again

mcmillions's picture

That's one of the first things I checked, and that is not the case. Same with the other 4,000 users having the same issues.

mcmillions's picture

If you had read the debug log, you can see that SEP is constantly checking for 'scheduled scans' and 'new definitions' in an endless loop.

.Brian's picture

You may need to call support. Since you're on the latest, upgrading is not possible, obviously.

There are some options to configure but it sounds like this is something you want to use instead of just disabling?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mcmillions's picture

Called support yesterday morning and logged a critical request. They're supposed to have a turn around within 2 hours. Now it's been 24 hours and still no call. I'll be frank, their support really sucks.

Now, DefWatch is certainly important as new definitions are used to sweep live memory and critical directories. If there's a new variant I submit to Symantec and want it cleaned from the environment, how else will the windows folder get swept for the new backdoor in a timely fashion?

I think I'll quit participating on this forum as I haven't really recieved any decent advice. Mostly broken english and links to technical documents that don't even pertain to my issue.

Thanks guys!

.Brian's picture

I can only tell you how to adjust/configure the settings when it comes to DefWatch scans. If it is a bug, than that is a code fix.

Sorry you haven't gotten what you needed or I couldn't be of more help.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Could you please PM me your Case #?

Let me check into this.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

mcmillions's picture

Brian81: If you have some configuration tips, I'd love to hear them.
Mithun: No thanks, I have a lot of people involved now. This is unacceptable on Symantec's behalf. I understand in the past 2 weeks there was a 'changeup variant' which has screwed a lot of things up. What a shotty product. Tell users if things have become broken... at least a heads up.

SameerU's picture

Hi

Can you just reinstall the SEP client and observe the same.

Regard