Video Screencast Help
Symantec Secure Login will be live on Connect starting February 25. Get the details here.

Information on Symantec Endpoint Protection Scans

Created: 24 Jul 2012 • Updated: 11 Oct 2012 | 6 comments
Language Translations
Mithun Sanghavi's picture
+7 7 Votes
Login to vote


There are different type of scans which protect Symantec Endpoint Protection Users and their computers.
Auto-Protect - Auto-Protect continuously scans files and email data for viruses and for security risks; viruses and security risks can include spyware and adware, as they are read from or written to a computer.
Types of Auto-Protect:
  1. File System Auto-Protect
  2. Internet Email Auto-Protect
  3. Notes Auto-Protect
  4. Outlook Auto-Protect
Configuring File System Auto-Protect for Windows clients
Configuring Auto-Protect to determine file types 
Auto-Protect is preset to scan all files and processes. It may complete scans faster by scanning only files with selected extensions.
For example, you might want to scan only the following extensions:
  • .exe

  • .com

  • .dll

  • .doc

  • .xls

Typically viruses affect only certain types of files. If you scan selected extensions, however, you get less protection because Auto-Protect does not scan all files. The default list of extensions represents those files that are commonly at risk of infection by viruses.

Auto-Protect scans the file extensions that contain executable code and all .exe and .doc files. It can also determine a file's type even when a virus changes the file's extension. For example, it scans .doc files even if a virus changes the file extension.

You should configure Auto-Protect to scan all file types to ensure that your computer receives the most protection from viruses and security risks.

Note: Auto-Protect does not function on Linux platforms, you must run a manual scan on those machines to detect threats.

Schedule Scan Types which could be scheduled from Symantec Endpoint Protection Manager
Active Scan - Scans the system memory and all the common virus and security risk locations on the computer quickly. The scan includes all processes that run in memory, important Windows registry files, and files like config.sys and windows.ini. It also includes some critical operating system folders.
NOTE: Only custom scans are available for Mac clients.
Custom Scan - Scans the files and folders that you select for viruses and security risks.
Startup scans and triggered scans - Startup scans run when the users log on to the computers. Triggered scans run when new virus definitions are downloaded to computers.
Note: Startup scans and triggered scans are available only for Windows clients.
On-demand scans - On-demand scans are the scans that run immediately when you select the scan command in Symantec Endpoint Protection Manager. You can select the command from the Clients tab or from the logs.
Full Scan -  Scans the entire computer for viruses and security risks, including the boot sector and system memory.
It will scan each file by starting with A to Z its not real time..Its manual or scheduled.
A Full system scan are the antivirus and antispyware scans that detect known viruses and security risks. For the most complete protection, you should schedule occasional scans for your client computers. Unlike Auto-Protect, which scans files and email as they are read to and from the computer, A Full system scans detect viruses and security risks.

A Full system scan detect viruses and security risks by examining all files and processes (or a subset of files and processes). A Full system scan can also scan memory and load points.

A Full system scan does these...

  1. Scans the system memory and all the common virus and security risk locations. 

  2. Scans the entire computer for viruses and security risks, including the boot sector and system memory.
Full scans can be scheduled Manually and also a Administrator Defined scans could be performed from SEPM. check the Articles below:
Configuring an on-demand scan for Windows clients
Configuring a scheduled scan for Windows clients

TruScan Proactive Threat scans - 

Supported on Windows computers that run Symantec Endpoint Protection version 11.x.

SONAR is not supported on any computers that run version 11.x.

TruScan proactive threat scans provide protection to legacy clients against zero-day attacks. TruScan proactive threat scans determine if an application or a process exhibits characteristics of known threats. These scans detect Trojan horses, worms, keyloggers, adware and spyware, and the applications that are used for malicious purposes.

Unlike SONAR, which runs in real time, TruScan proactive threat scans run on a set frequency.

TruScan proactive threat scans use heuristics to scan for the behavior that is similar to virus and security risk behavior. Unlike antivirus and antispyware scans, which detect known viruses and security risks, Proactive threat scans detect unknown virus and security risks.

Note: Because proactive threat scanning examines active processes on client computers, the scanning can impact system performance.

The client software runs proactive threat scans by default. You can enable or disable proactive threat scanning in an Antivirus and Antispyware Policy. Users on client computers can enable or disable this type of scan if you do not lock the setting.

Although you include settings for proactive threat scans in an Antivirus and Antispyware Policy, you configure the scan settings differently from antivirus and antispyware scans.

See About TruScan proactive threat scans.

Bloodhound - 

Bloodhound isolates and locates the logical regions of a file to detect a high percentage of unknown viruses. Bloodhound then analyzes the program logic for virus-like behavior.

What is the difference between the Bloodhound and Proactive Threat Protection (TruScan) technologies?

For Symantec Endpoint Protection 12.1, there are few Additional Scans as below - 
Download Insight- 
Download Insight boosts the security of Auto-Protect scans by inspecting files when users try to download them from browsers and other portals.
Download Insight uses reputation information to make decisions about files. A Symantec technology that is called Insight determines the file reputation. Insight uses not only the source of a file but also its context to determine a file's reputation. Insight provides a security rating that Download Insight uses to make decisions about the files.
Download Insight functions as part of Auto-Protect and requires Auto-Protect to be enabled.
SONAR offers real-time protection against zero-day attacks. SONAR can stop attacks even before traditional signature-based definitions detect a threat. SONAR uses heuristics as well as file reputation data to make decisions about applications or files.
Like proactive threat scans, SONAR detects keyloggers, spyware, and any other application that might be malicious or potentially malicious.
Note: SONAR is only supported on Windows computers that run Symantec Endpoint Protection version 12.1 and later.
About the types of scans and real-time protection
Hope that helps!!

Comments 6 CommentsJump to latest comment

San1985's picture

Nice article.. very useful..

Login to vote
C_Designs's picture

Thank you for this explanation.

Login to vote
W007's picture

Thanks Mithun....

Great Article and Explain different Types of Symantec Endpoint Protection Scans..........................yes

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Login to vote
ajhay.siingh's picture

HI Mithun,

Very useful info by you by all types of scans.





Login to vote
LeeD's picture

Good one

Thank you,


Login to vote
samgibson's picture

yeah, I love SONAR.  I'm trying to get caught up on some of the other options out there, but so far I'm pretty pleased.  Maybe I need to start researching some of the other options.

Login to vote