Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Unable to scan Entreprise Vault archived files with SEP

Created: 23 Jun 2014 • Updated: 23 Jun 2014 | 9 comments

Hi all,

we have a EV 8.0 archived files in File System and SEP 12.1.4.

When i try to scan a folder containg archived files i have no scan or  recall from Vault server.

But if i open that folder and then scan the placeholder  , SEP recalls the file and actually scans it.

what i need is a way to scan all my files  using a drive letter scan ( incluing all vaulted files) because i need to unsure that all those files are clean.

Does any one have any idea for this?

Please help.

Operating Systems:

Comments 9 CommentsJump to latest comment

.Brian's picture

Have you tried mapping a share to it and creating a custom scan in SEP to scan that share?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Nuno Sysadmin's picture

Yes.

i have created a New Scan with:

  • scan all types
  • scan resident portion of offline and sparses files ( Open files using backup semantics)

In configure setting i have something like:

  • Scan when a file is accessed or modified
  • sacn when a file is backed up

Please note:

i have SEP in the file system ( the vault server is in a different machine)

 But my biggest problem is understand  why does SEP recall the files when i scan directly but no scan ou recall if a scan the folder.

SMLatCST's picture

Individually scanning the files is similar to manually opening them up and looking at them.  This forces a demigration of the data AFAIK.

From your description, the "Storage Migration" option of your scan is set to only scan what's stored locally on the machine and not demigrate the files (i.e. don't restore the archived files to their original location before scanning, and only scans what part of the file is left behind).

I can't find any reference as to whether the "Open files using backup semantics" option is supported by EV8 for scanning without demigration.

I'd recommend checking out the other "Storage Migration" options if I were you.  Check out SEP's help section for more info, as I think you'll have to decide on priorities shortly (storage use vs security vs speed).

Nuno Sysadmin's picture

I have try diferent option in SEP, but got the same result.
I can't conform with a full folder scan not be able to scan the files.

I Hope that some one can help p.e. with some change in the regedit or something like that.

If the scan results opening file-by-file only a "feature" in the SEP wont do the same in a folder scan.

About the EOSL.. i hope to solve my prob. before that :P

SMLatCST's picture

I'm still not clear on what you're after tbh.  The options in the "Storage Migration" portion of the scheduled scan appears to cover off all three major options to me:

  1. Skip archived files entirely
  2. Scan archived files by demigrating them
  3. Scan srchived files without demigrating them

Which one best matches your use case?

More details on all the various options is available in the SEPM's help (a copy of which is below):

Table: Storage migration options

Option

Description

Skip offline files

Specifies that if the offline bit is set, the Symantec Endpoint Protection client skips the file

A small clock over a file's icon in Windows Explorer indicates that the offline bit is set. Any application can set the offline bit even if the file is not offline.

Skip offline and sparse files

Specifies that offline and sparse files are skipped

Some applications set the file sparse bit to indicate that part of the file is not present on the disk. Some HSM products set this bit and others don't. With a sparse file, a stub of the file remains on the disk, and the majority of the file is moved to offline storage. This setting is the default.

Skip offline and sparse files with a reparse point

Specifies that offline and sparse files with a reparse point are skipped

Some vendors use reparse points. Applications that use reparse points also use an appropriate device driver to manage reparse points in the files. With a reparse point, a portion of the file remains on disk, and the remainder is transparently accessed through the device driver.

Scan resident portions of offline and sparse files

Specifies that if the file is sparse, the Symantec Endpoint Protection client scans only the resident portion

The Symantec Endpoint Protection client identifies resident portions of a file. The nonresident portion remains in secondary storage. Some vendors support this capability.

Scan all files, forcing demigration (fills drive)

The Symantec Endpoint Protection client scans the entire file, which forces demigration from secondary storage if necessary. Because the size of the secondary storage is usually greater than the size of the local volume, this setting might fill the local volume. When the local volume is full, further files that are opened for scanning might fail.

Scan all files without forcing demigration (slow)

Specifies that all files are scanned, without forcing demigration

The Symantec Endpoint Protection client copies a file from secondary storage to the local hard drive as a temp file for scanning. The HSM application leaves the original file on the secondary storage.

This method is slow and not all HSM vendors support it. Because a file is copied from secondary storage to a disk for scanning, resource demand is high. Processor and network performance might further degrade as the Symantec Endpoint Protection client detects infected content when a repair or deletion is returned to secondary storage.

Scan all files recently touched without forcing demigration

Specifies that all files that have been touched recently are scanned, without forcing demigration

This option lets you specify that only the files that have been migrated recently and might still reside on faster secondary storage are scanned. This method can reduce some of the resource demand issues with the Scan all files without forcing demigration option.

You can the scan the files that reside on faster disks, and skip demigration and scans if the files reside on slow disks. For example, files might be migrated to a remote disk after 30 days of no access. After 60 days of no access, the file is migrated to DVD-ROM or remote SAN storage. This method might still be slow because file access without forced demigration can be a slow operation.

If you select this option, you must select the type of access and the number of days to define "recently touched."

Open files using backup semantics

Specifies that files be opened using backup semantics

In some cases, using this option may allow the Symantec Endpoint Protection client to scan files without demigration. It may also allow the client to scan the stub, but not the rest of the demigrated file.

Type of access within the number of days selected

If you select Scan all files recently touched without forcing demigration, you must set this option. This option specifies the type of access (Accessed, Modified, or Created) and the number of days to define as "recent."

John Santana's picture

how's the scan performance looks like ?

I'm curious to know about the duration when recalling the File from EV archive.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Nuno Sysadmin's picture

As i said before i have test all this option ( but i think that Scan all files, forcing demigration (fills drive) ) is the only that mach my cenario.

About scan performance i will get that info asa i get the scan running throw folder scan.

SMLatCST's picture

John, I've already posted in your thread...

Just thought it'd be worth mentioning that EV-FAS has its own tool for demigrating files:

http://www.symantec.com/docs/HOWTO97254