Endpoint Protection

First off, I hope I posted this in the correct forum.  I've never heard it called Endpoint Protection before.

System: Windows XP Pro - Symantec Corp Edition Anti-Virus 10.0 (unmanaged computer)
___________________________________________________________
I noticed this weekend that one of our computers finished a "full scan" in about 5 minutes. Upon further investigation, I noticed that it had only scanned 25,xxx Files. I knew that this was not right as it had usually scanned 150,000 + files and takes about 45 minutes. I first checked the old Logs. I found that 8/11/09 was the last time that it scanned 150k + files. After that date, the log showed the Scheduled Full Scans as only scanning approx 25k files.

I tried google searching this issue with only a few hits of similar issues, but no solutions. I checked on MajorGeeks for answers and found nothing.

We have Malwarebytes (full version), SUPERAntiSpyware (full version), and Spybot all set to run nightly along with my Symantec, at different times. I went ahead and ran them all again anyway...all clean, no issues.

I ran CCleaner and Auslogics (one button clean up) to fix any disk errors, clean up the registry, and defrag.

I ran the Symantec "full scan" again, same result.

I uninstalled Symantec using the Add/Remove programs menu. Reinstalled it from the Install Disc and updated it. No change, same result.

I then tried the Manual Uninstall Procedure for 10.0. Followed every step, deleted all the appropriate registry entires, then ran CCleaner to clean up the registry. Installed 10.0 from the Install Disc. Same result, no change.

I uninstalled Symantec again and installed AVAST. All files (150,000+) were scanned and no issueswere  found. I then uninstalled that and tried Trend Micro, same thing-scanned all files, no issues found. Uninstalled it and reinstalled Symantec.

Tried the MajorGeeks XP Clean up. Followed it step by step, ran the suggested programs and saved the appropriate logs. No issues found.

I checked all the rest of the computers at my work and found that 5 others were running this "partial" Full Scan, so it wasn't just a one-machine issue. But we have 15 other machines that are fine.

***The only thing I can think of that relates all these machines is that these 5 machines have all be wiped (or are new) within the last 12 months. But up until mid August, they all functioned properly and the FULL Scan option had always worked fine. ***

I called Symantec's Tech line and spoke with the level 1 tech. After searching, she had no advice (over and above what I had already tried) and could not transfer me to level 2 (aka: open a case) because my companies support program was expired (as of May 2008).

The computers function fine, they are all up-to-date and are scanned daily with Symantec AV, Malwarebytes, Spybot, & SUPERAntiSpyware. But having Symantec only scan 25k files worries me.

I shut off Malwarebytes, SUPERAntiSpyware, and Spybot and ran the scan again, still no change.

I investigated more and found that when I ran a "Full Scan", it acted more like a "Quick Scan" or "Start-Up" Scan.  It would read, "Scanning Memory, Load Points, & Security Risks" then would scan a few files from "My Documents" then it would complete.  It would not scan all the files from my C: Drive.  I double checked to make sure that they weren't excluded, and they were not.  No changes had been made to the set up, it was still on default.  I did notice that there seemed to be more "Unknown DetectionAction" items than I had remembered seeing before, but maybe thats because I had never set and watched it scan before??

The computers are acting normal and not any slower than usual.  But since the "Full Scan" and our  "Scheduled Daily Scan" is only getting 25k files, I do worry that in the future we will be open to attack from virus's.

Any help would be great. I'm stumped.  Thanks in advance.

Refer to this KB for possible solutions -

Symantec AntiVirus Corporate Edition manual or scheduled scan stops before reaching 100 percent complete


http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005032217140648

Thomas

Thanks, I'll see if there are any suggestions there that I have yet to try.

I should note, that the Scan completes (or atleast says complete) like it would normally.

The funny thing is that it happened on 5 of our machines, but not all of them.  At least one of the machines is very rarely touched. 

I would recommend that you uninstall 10.0.  That version is several years old and has known vulnerabilities.  I'd recommend that you upgrade to 10.1.8 or SEP, but you're apparently not licensed to use the software in the first place. 

Our company is licensed to use the software.  But we no longer have the Symantec Support agreement (for tech support).  Definately legit...lol    The software is a few years old, but my company doesn't seem to be able to find it in their budget to upgrade, dispite my urging at every budget meeting.

So I'm just doing what I can with the tools they provide me.  I've considered uninstalling 10.0 on our system and going with a free provider such as AVAST, but am still a bit leary about doing so.

I'd much rather solve this issue and keep things running as smooth as possible until I can convince the management here that it is time to upgrade.

Again, your help is appreciated.  Any more ideas?

The free AVs all prohibit their use in a commericial environment, even if you were a work-at-home business.  So you'll need to buy some AV.

Would letting them know that running such an old build puts their security at risk make any difference?  There are known vulnerabilities with the older builds.

This page lists more than just SAV, but gives you a good example of known security vulnerabilities that have been addressed.

http://www.symantec.com/avcenter/security/SymantecAdvisories.html

BTW, the most current build of SAV is 10.1.9. 

Good luck,
sandra

I hadn't even thought about it, but you are right snekul - So a Freeware AV is off the table for us.  
:facepalm:

I'll have to get a quote for SAV 10.1.9 upgrade to my management to be able to see  the "cost to upgrade".  I personally have been pushing this for the last 2 years or so.  I've used the "it will be cheaper in the long run" and "paying this preventitve cost will be less expensive than a fixing the potential problems".  But you know how companies work....  Thanks for the heads up sandra.g

But in the mean time, I'm still concerned about the 5 machines that are not able to run full scans.

Any more advice or things to look for??  Any reasons why this would have happened??

I picked one of the laptops and tried running through the link Cycletech provided.

*Checked the Log - no errors
*Updated Virus Definitions - up to date
*Checked the Virus Def's for corruptions - none found, everything looked fine
*Disabled any autostart programs
*Deleted Temp FIles
*Disabled "Scan Compressed Files" in Scan Options
*Ran ScanDisk - no errors found
*Shutdown for a few minutes
*Restarted in Safemode
*Ran full Scan

Result: No change, still only scanning 25k files.

I'm really beginning to think that this definately has something to do the affected machines being reloaded with Symantec Corporate AV 10.0 within the last 9 months.  But the most baffling part is that the machines were all working and Scanning fine up until mid August. 

All of our other machines work fine.  So that is the only variable that links the affected machines.

Is there any logic behind my thoughts?  I feel like I've tried everything at this point.  I just wish someone at Symantec could help me out with this, as I'm sure I can't be the first person/company with this issue.

Thanks again for your continued suggestions and help.

I picked one of the laptops and tried running through the link Cycletech provided.

*Checked the Log - no errors
*Updated Virus Definitions - up to date
*Checked the Virus Def's for corruptions - none found, everything looked fine
*Disabled any autostart programs
*Deleted Temp FIles
*Disabled "Scan Compressed Files" in Scan Options
*Ran ScanDisk - no errors found
*Shutdown for a few minutes
*Restarted in Safemode
*Ran full Scan

Result: No change, still only scanning 25k files.

I'm really beginning to think that this definately has something to do the affected machines being reloaded with Symantec Corporate AV 10.0 within the last 9 months.  But the most baffling part is that the machines were all working and Scanning fine up until mid August. 

All of our other machines work fine.  So that is the only variable that links the affected machines.

Is there any logic behind my thoughts?  I feel like I've tried everything at this point.  I just wish someone at Symantec could help me out with this, as I'm sure I can't be the first person/company with this issue.

Thanks again for your continued suggestions and help.

No one knows or has any other suggestions?  :sadface:

Did you run a scan in safemode... ? Give a try...

Yes, ran a scan in safe mode.  See my last post.  Still only scanning 25k files.

Mopar,

Is there anything else about these machines that's different from the ones that were not reimaged?  Are they fully patched with all OS updates?  What about free disk space?

If you have not already done so,  would also suggest trying using the Intelligent Updater, which will replace scan engine files as well as update definitions.
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce

Unfortunately (and I say 'unfortunately' because I know is this not presently an option for you), if this were a support case, the first thing I would suggest is to upgrade, in case the issue you're experiencing is a known one and has already been resolved in a subsequent build.

Thanks,
sandra

I think Mopar is a little confused in terms of licensing....

If you buy a support\license for SAV(or any enterprise AV as far as I'm aware) for one year, you only get to use the product for.....one year.  Your buying the right use the product, receive updates, and get support.  When the year is up and you don't renew, you legally need to uninstall the product or disable it until it's been renewed.  An easier way to think about it is that your paying for the right to receive content updates.  The EULA will have specifics on this.

Hope that helps clear things up with management.

Thanks Sandra.g, I'll try the Intelligent Updater on the machines.  But as for the affected machines, they are all completely up to date with Windows Updates and Drivers.  They all have plenty of free space on the hard-drives.

I'm definitely pushing the upgrade to my management!!

Thanks J123 for your incite as well.  I've been in contact with the company that originally did our tech/computer software upgrades/configuration/etc.  I likely was confused on the issue, as I was thinking the the support contract was only for the "tech support" and not the licensing.  But after thinking about it, what you are saying does make sense.

The strangest part is that the other 15 machines in the office are not having any issues with Symantec 10.0.  Just the fresh reloads.  If I take into consideration what J123 is saying, it may be possible that Symantec is some how disabling any machine loaded with the software after a certain date.  But that's almost too "conspiracy  theory" for me.  And if it was a license thing, wouldn't all of the computers be affected, not just the newly imaged ones???

I'm going to go try the Intelligent Uploader now and report back.

I appreciate the continued incites and hope, if nothing else, to come to a firm conclusion about this issue.

Mopar,

You're welcome!  I don't have full details on our licensing process (being that I am in support and not in licensing), but I am pretty sure we are not reaching out to your computers and disabling services :)

sandra

Ok, so I tried the Intelligent Updater, both the i32 and x86 versions.  I installed the i32 version first and ran a Full Scan after it finished updating and finished the Defwatch Scan.  No change in amount of files scanned.  So I ran the x86 version.  It updated, ran a Defwatch Scan, then I started a Full Scan.
Still no change.  

I'm sure that there is a solution out there, or atleast a solid reason why this is happening. 

Any more suggestions or things to try? 

That you have Malwarebytes, SuperAntiSpyware and Spybot listed--If any of those programs have an active scanning component, make sure they are disabled.  It will conflict with AutoProtect.

sandra

In previous Scan attempts I have shut off the MB & SAS active protection applications.  I will run the scan again now (since running and installing updates from the Intelligent Updater) and will be sure shut off any active protection programs.

I'll report back soon.
 

Disabled Spybot and Malwarebytes active protection programs.  This particular computer did not have  SuperAntiSpyware loaded on it (the other 4 affected computer do have it), so I did not have to disable that program

Ran another full scan...same result, no change.

Keep the ideas coming and I'll keep on trying.

I should mention that the other Unaffected 15 machines have Spybot & Malwarebytes active protection programs running and are still updating fine and the Full Scan function is still working properly. 

Any other suggestions?

I am going to do a full uninstall on one of the Laptops tonight, reinstall and run a full scan (before updating def's).  I'd like to see what happens, if I'm still able to run a full scan at that point.

Then once I've tried that, I'll update using the intelligent updater tthen run a full scan.

If it works after the install, but not after the update--it would suggest to me that it is being changed in the update process.

I'll report back my findings.

I wish I had more suggestions for you... Good luck!

sandra

Ran a CLEANWIPE on the laptop.  Then reboot.  Then installed 10.0 from disc.  Ran a full scan (before updating), scanned 10k files only.  Updated using live update, ran full scan, scanned 25k files again,

But all in all, no change.

I'm completely stumped.  I would have thought that this had happened before or that someone at Symantec could provide me with a solution or atleast a reason why this is happening.

Thanks sandr.g for your help with this, but it looks like this will remain a puzzler unless someone can offer a different solution/idea.

Mopar,
I am also experiencing the same thing on my laptop. It all started when I installed Spyware Doctor with antivirus on my laptop. I am sure the SD antivirus conflicted with SAV. I uninstalled both the SD and SAV and installed the SAV but full scan only scans about 25,000 files. I even did system restore to a date the SAV was working properly but it still scan about 25,000 files for full scan. I think I have a temporary solution. I tried it this morning and it worked. I manually performed the scan by right clicking on the drives I want to scan and clicking on ‘Scan for Viruses’ from the pop-up menu.

Moses.

Moses,
  I was really hoping that it would work.  I opened MY COMPUTER, right clicked on C:, selected Scan for Viruses.  It started the manual scan and only scanned 753 files before completing.

Its like most of the C: is being locked out from being scanned.

Mopar,
I have partitioned my computer. So I started with drive E and it scanned for 50 minutes. However, when I tried scanning drive C it scanned only 944 files; similar to what your computer did. I tried yet another method. That is scanning for the folders under Drive C. I started with program files and it has been scanning for the past 20 minutes. Try scanning for the folders under your C directory and I believe it will definitely work. Like I said in my previous note, this is just a temporary solution. We hope to find a lasting solution to this very soon.
Moses.

I tried it the way you've suggested Moses.  I opened the C: Drive and right clicked on the individual folders and selected SCAN FOR VIRUSES

On one of the affected machines, scanning the below listed folders individually, I got a grand total of 39,422 files scanned, which is more than the 25k files scanned with a FULL SCAN.  I've listed the comparison to what the properties of the folders said and what was scanned by Symantec.

1) Program Files (3018 files, 307 folders) : Scanned 3600 files
2) Windows (20,305 files, 1559 folders) : Scanned 27,923 files
3) ASICS (1497 files, 53 folders) : Scanned 1506 files
4) 10a392068e57c25d85 (14 files. 2 folders) : Scanned 14 files
5) Documents & Settings (12,642 files, 516 folders) : Scanned 493 files
6) UPS (5560 files, 233 folders) : Scanned 5886 files

The discrepancies for the Program Files, Windows, and ASICS folders showed  the Scan actually scanned more files than the Properties Screen showed for those folders.  The UPS & 10a392068e57c25d85 folders were very close to the actuals listed.  The Documents and Settings folder was way off.

At that point I opened the Documents and Settings folder and found two folders which I then scanned individually, see the results below:

1) All Users (664 files, 111 folders) : Scanned 493 files
2) DebbieG (11,886 files, 298 folders) : Scanned 12,172 files

When I went back into the C:, a SELECT ALL, and check of the PROPERTIES showed 43,136 files...so with the manual scan Moses suggested scanning 39,422 files--It seemed like we hit most of them.

___________________________________________________

For Comparions, I went to one of the machines that was running Full Scan's normally, without issues.  I opened the C: and did a SELECT ALL, then opened the Properties.  It said 75,234 files & 4,409 folders.   I went back out to the C: and did a right click, SCAN FOR VIRUSES, upon completion it had scanned 122,973 files.

So looking at this data, it seems that Symantec scanned nearly 48,000 more files than the Properties screen showed the C: containing.  I don't really know why that is, but it seems to be the norm.

Taking that into comparison with the data from the "affected" machine.  The "affected" machine should have scanned more files than it did.  So I would have to delve deeper into the individual C: folders to truly get a full scan of the folders.
___________________________________________________

But atleast we are able to scan more files using the method Moses suggested.

Thanks Moses!

Please keep me posted on any more ideas or if you do find a solution to this.  While I wish neither of us had this issue, at least I know someone else is facing the same problem and working to find a solution.  So we are on the right track, but not out of the woods yet.

Does anyone know why a FULL SCAN (or even Custom Scan) would be skipping so many folders & files??

Moper,
You are welcome. I am sure the SAV scanned 48,000 more files because it is able to scan for compressed files within compressed files up to 10 levels deep. SAV counts every level as a file, while windows count it as one file. I will keep you posted.
Moses.

Moses, please keep me posted on any progress or solutions you find on this.  I appreciate the help.

Obviously this isn't a one-off problem, I hope Symantec provides a solution for this or atleast takes a look at this issue and makes an attempt to fix it.

Any other suggestions or things to try?  I'm open to more ideas.

Moses, are you working with anyone at Symantec on this issue?  I'm Curious.

Is there anyone else dealing with this issue?  I'm sure someone has a solution or something else I can try.  I'm open to suggestions.

Looking for any more suggestions or solutions.

Any new progress on this issue?  Anyone?

This happened and scan stopped at a particular directory and it said scan completed.
We tried to exclude the directory or the file and Scanning was succesfull.

If you have multiple drives, then right click and try to scan on a different drive and see the progress.
By this, you can evantually find where the scanning stops.

On an another machine we tried to exclude the windows folder from scanning and it worked.
You can give this a try.

In addition to the above note.. Also check the file and folder exclusions

Nothing in the File & Folder Exclusions.

I will try excluding one at a time, but we did something similar when we scanned each folder individually.

I'll report back after I've tried this.

Have you tried mapping to this drive and running the scan from a different computer? You could also try a full scan using the nss tool from a winPE live cd to see how many files that picks up. Theoretically it is the same scan engine so it should stop at the same point that your full scan did. But if it still doesn't pick up all the files you could at least throw out the possibility that it is a program or something with your OS that is causing the problem. This really is a strange issue and I am curious to see the answer. What really makes it strange to me is that your right click scan of Documents and Settings only showed 493 files but the scan of the ONLY two folders under that one was much much more. I don't understand where the breakdown happened. My first thought was that it was some weird corrupt file that was causing the scan to barf but it doesn't seem like it when you consider that... Very curious.

Grant-

Hi Mopar,
Sorry for the long silence. My internet was out of order and I was also preparing to write an exam. I have managed to solve the problem. Symantec Corp 10.2 did it all. I uninstalled Symantec Corp 10.0 and installed Symantec Corp 10.2. Now I am able to scan all my files. Hope it helps.
Regards,
Moses.