Endpoint Protection

Local admin users are capable of terminating the scan process using the Task Manager which results in unfinished scans .

I am looking for options inside SEPM or if it can be achieved by some other means.

Table: Advanced user options

Symantec Endpoint Protection Manager - Antivirus and Antispyware - Policies explained 

disable the option "Allow the user to stop the scan and Allow the user to pause or delay a scan

Thanks Praveen!

I hope you would be doing great . I would recheck the options in a testing environment.

Being specific again with the information  , scans running under application tab in Task Manager 'Can be Ended' by users with Local admin privileges .

We have allowed the users to Pause or Snooze the scan for maximum of 3 instances .

what version of sep are you using ? and have to enabled the tamper protection ?

1). Choosing " Do not show scan progress " it self, would make sure that the Scan process does not get populated in the Applications tab.

Following which users won't be able to "End Task" the scan from Task manager .

Although our requirement is to provide the user with the option to Snooze or Pause the scan .

2). If we make the configuration for the user to snooze the scan , that would again bring up the scan progress UI to the desktop and user would have option to 'End Task' it .

Any further suggestions would be greatly appreciated .

Do you have tamper protection enabled?

About Tamper Protection

Disabling this would allow users to kill SEP services.

Brian ,

Tamper Protection is obviously enabled and as I see it , it seems to be working as expected.

Are we expecting Tamper Protection to Protect the scan populated in here as well :

What I found , is if the scan is visible here It can be "Ended" using "End Task"

As discussed earlier with Praveen here , If I hide the Scan from the end user , its just a Computer Process running in background and Tamper Protection restrict users from playing with it .

Then if that's truly the case it's a flaw in the design. I don't allow my users to touch the scan so I can't say from experience but can test.

Hi,

In the screenshot it's showing Active scan not scheduled scan.

You can configure whether or not the scan progress dialog box appears on Windows client computers. If you allow the dialog box to appear on client computers, users are always allowed to pause or delay an administrator-defined scan.

When you allow users to view scan progress, a link appears in the main pages of the client UI to display scan progress for the currently running scan. A link to reschedule the next scheduled scan also appears.

You can allow the user to perform the following scan actions:

Please refer this article:

• http://www.symantec.com/docs/HOWTO81186

Active scan was just for the reference . I was trying to convey that the scan gets populated under application tab and that's where the user gets privilege to End Task it . Issue is with the scheduled full scans.

I can hide the scan ( or configure it to come up, only once there is a detection ) to nullyfy the risk, but Idea of keeping the End Users informed would not get a satisfying answer .

Things seems not to be working out .Might I use the GPO policy but I was so sure that SEPM would have a fix internally .I tried with few configurations to figure out the solution and  GPO policy has its own set of  limitations .