Endpoint Protection

Below is a pic from the scan log on 4 of my servers. What would cause this HUGE difference in scan times? All 4 servers have similar or identical specs, roles, storage, and total number of files yet it takes literally, 100 times longer to complete a full system scan. They're all VMware VMs running SEP v12.1.6168.6000 and the entire infrastructure was basically idle when these scans took place (note they took place on different days as well).

http://imgur.com/LWu0ZrP

Where should I start looking to find out why this is happening so I can fix it?

Thanks,

Do the servers with longer scan times have many compressed/zipped files or larger files in general?

Are there any exclusion setup locally that you don't see from the SEPM?

I would suggest that you enable debugging on one of the servers that take longer and one on the shorter one to see what's being scanned. This way you can compare and see if there is something else going on.

How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0 and 12.1

It could also depend on how large the files are, not just quantity. Also, as Brian mentioned, compressed or zipped files take longer.

Also, I see less trusted files on the machines that took less time to scan, so it could mean that lesser trusted files take less time to scan

By any chance have you configured the scanning of base image files for those two machines?

This feature is disabled by default. By enabling this feature when your client scans a file, it looks for this attribute. If the base image file contains the attribute, the client does not scan the file.

You can specify to bypass scanning unchanged base image files for Auto-Protect scanning or administrator-defined scans (such as manual scans or scheduled scans).

I have not set this up but I'll check it out. Thanks,

@Brian & hamad3914

The server with really long scan times that I've been testing is a domain controller. It doesn't at any large files or archives that I'm aware of. Largest files are SEP's definitions archive and the security event log which reaches 256MB and gets archived to a different machine.

I enabled debug logging and there was a few instances where the VM was too busy and throttled itself with the message below.

22:11:05.331984[_1768][_5200]|ScanThrottling: User is not Idle. Sleeping 3000 ms for the Best Application Performance scan.

Most of the log was filled with the message below. 

03:53:46.814367[_1768][_5200]|CheckInfestationMode: not time to analyze, over max 300 and checking only every 30 files
03:53:46.816701[_1768][_5200]|CSavScanSink::OnSkippedFileScan: Skipping file \\?\C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\MigrateUserScans.exe, reason 1

The scan took over 16 hours which is way too long.

hamad3914 mentioned that it could be trusted files take longer to scan. I set up shared insight cache expecting it to decrease scan times...is it possible it could be doing the opposite? How could that be and what should I do to correct it?

Edit;

Typos