Users are able to circumvent the administartor-define (weekly) scans
Updated: 17 Aug 2010 | 11 comments
We have configured a policy on our SEP management server to enforce a weekly scan (Administrator-define scan) of all our clients. We have disabled the user’s ability to stop the scan, but have allowed them to pause and snooze the scan for a pre-determinate time. However, users are able to circumvent the weekly scans by either rebooting their computers or logging off as the scan starts.
The scan aborts and the SEP management just records that the last scan date of when the scan started. Hence, on the SEP management console it appears that the weekly scan has been run.
This is a major compliance issue and basically defeats the purpose of the administrator-define scan. We have contacted Symantec supported and they have indicated there is no way to resume a scan if it’s aborted in this way and if we wanted this feature, we should summit an enhancement request.
Is it possible to implement an enhancement to resume the weekly (Administrator-define) scans after a reboot or when a user logs back in. Is it also possible for the SEP management console to indicate the status of a scan and maybe provide some additional information, ie. the status of the scan (eg. running, aborted, paused, snoozed, completed, etc.) what time the scan started, when was it passed, snoozed, etc. This addition information should be easily viewable (summarized and/or in detail form) via the SEP management console and it should also be possible to generate reports/export the details.
Discussion Filed Under:
Comments
I think the best way to solve
I think the best way to solve this issue is remove the option for showing the scan progress to the user for this
1 On the Antivirus and Antispyware Policy page, click Administrator-defined
Scans.
2 On the Advanced tab, under Scan Progress Options, click do not Show scan progress
or Show scan progress if risk detected.
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Hidding the scan is not very
Hidding the scan is not very pratical. We have allowed users to pause and snooze scan just in case they need to preform demos, or business critical tasks.
It's also too late to do this as most users know when the weekly scan are run, hence they still know how to circumvent it.
PS - If a user computers runs slow all of a sudden, most user's reaction is to reboot anyway!!
Try this report
Login to SEPM
Go to Monitors -----> Logs
Select log type as scan and create report
It will give the informations of scan completed canceled etc..
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Thanks for the info.
Thanks for the info. However, there is not enough information for us to easily identify and group all the offenders. We have users/offices all over the world. The report listed over 340 computers that cancelled the scan for the last week.
Basically, the users should not be able to circumvent the weekly scans. The scan should continue after the computer reboots or logs back in.
So, how do you stop this?We
So, how do you stop this?
We have the scan policy set so users can only pause and snooze scans because this is necessary, but they are finding ways to completely cancel scans.
Maybe they are just going to the Task Manager and killing the process.
Is there some way to prevent this, have the scan restart itself automatically if stopped or at least get an email alert whenever a scan is canceled?
Shutdown/restart = cancelled scans
As long as you allow users to shutdown and/or restart, it seems you will have cancelled/incomplete scans. Unfortunately SEP is not smart enough to pick up where it left off in the case of a shutdown/restart. As the years go by, users are getting smarter and smarter about things like this, so they *will* take advantage of it.
So, then is there some way to
So, then is there some way to get an email alert when a scheduled scan is cancelled or doesn't complete for any reason?
Not a highly technical
Not a highly technical suggestion, but one that seems to work for me;
* Set Admin. Scan to "do not Show scan progress"
* Schedule scans to occur over the lunch hour.
If there is a way for users to circumvent a process, they of course will. This seems to have the least impact on users and best compliance in my neighborhood.
Scans are scheduled to run
Scans are scheduled to run overnight, but sometimes they are missed when the computer or laptop is turned off or removed.
People take lunches at different times and the scan can take hours to complete, so schedule at "lunch" is not an option.
They need to be able to pause or snooze the scan, so "do not show scan process" is not an option.
If they cancel the scan instead of pausing or snoozing it, we want to get an email alert so we can take care of that problem right away. Can this be done?
SEP - Reports- Type -
SEP - Reports-
Type - Scan
Report - Computers by last Scan time
Filter -Default
Advanced
Status- Cancelled
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
I can create that report
I can create that report manually every time I want to check the status, but is there some way to get an automatic instant alert notification like you get for malware infections?
I'll set up a weekly scheduled report for now, but I'd like to get an instant alert instead.
Would you like to reply?
Login or Register to post your comment.