Endpoint Protection

Both discussions are on school environment

 https://www-secure.symantec.com/connect/forums/best-practice-0

https://www-secure.symantec.com/connect/forums/application-and-device-control-question

Also read these

https://www-secure.symantec.com/connect/articles/my-security-story

https://www-secure.symantec.com/connect/articles/what-do-p2p-applications-do-and-how-block-peer-peer-applications-p2p-using-symantec-endpoin

Greetings,

I am not sure I would go by what other schools do J. B. Bryant. With SEP I would recommend at least a weekly scan regardless of the environment you install to. With a school, I would probably bump that to a nightly scan. You can schedule this to run in the early morning hours or after school hours when the machines are typically not in use.

The SEP scans run at a low priority so anything else that runs on the machine will have priority on the CPU over the SEP scan. This should minimize any impact to performance, though I would still scan during off hours as much as you can.

I appreciate the info. I forgot that you can adjust the amount of processing power designated for a scan. Right now on the defult setting, it just brings our clients running anything under a Core 2 Duo to a crawl, almost unuseable. I will make some adjustments to these and mess with it some and find a happy medium. I am thinking a weekly scan might be best. We are unable to do nightly scans because all of the computers have to be turned off at the end of the day ( approx 3-5pm).

You can schedule the scan in the lunch time..
However as even I suggested earlier weekly scan will be more appropriate if daily scan is not possible. 

 Why not do Daily or weekly active scans, and monthly full scans?  

Also tweak on the active scans to only scan the executable files (exe, wsh, msi, etc)
And limit the compressed file scanning depth to just 1 level deep.

This will help augment your current scans without too much user disruption.

I think you've already given it very careful consideration.  Like others have said, it probalby boils down to a few things:

1) How much are the machines left on?
2) Do the machines go to sleep when not in use?
3) How old are your machines?
4) How many files are typically on a computer?

All of these things are going to effect when and how often you'll want to scan.

If it were me, I'd start with weekly fulls and maybe a daily active scan and then do more or less depending upon the complaints or lack thereof.

On a side note, if you have Altiris, you should be able to wake the computers to do a scan...  Then shut them off too..  May want to see if the free SEPIC add-on which lets you manage SEP from Altiris will do it. 

My experience is from a school environment with 300,000+ endpoints

The pros and cons of running scheduled scans really needs to be weighed up in your own environment to really determine the value.
If your machines are turned on 24/7 and you can easily schedule an after hours scan then by all means run it!!

In most environments I find that you cannot guarantee that they will not impact end user's and hence I turn them off and rely on real time protection.

The only real benefit is when a user plugs in a new external USB drive that has never been scanned before.
I wish SEP had a setting that scanned new drives as they were connected although this would create its own issues as it would be slow on large drives.
Regardless of the scheduled scan the files are scanned by real time protection as they hit memory, or are modified or moved/copied from the external drive anyway.

If you have had an AV product installed every file on every machine has been scanned week in and week out.
Where is the value in scanning those same files again and again and again, slowing down end users machines.
It is a constant battle to keep end users happy with the product and the scheduled scan is probably the biggest culprit in creating a poor end user experience.
Although the scan at startup might be even worse :)

I run an active scan when new definitions arrive which checks the memory and common load points and is completed in a few minutes.
As drive indexing is enabled by default in windows, all of the files on a system will eventually be scanned as windows does its indexing whenever the computer is idle.

If you really do want to do scheduled scans then I would recommend choosing to not enable the feature that retry's the scan if its missed.
Eg. if a scheduled scan is missed at 12pm lunchtime on a wednesday and it is missed then it runs at 9am thursday when the end user turns their machine on.
This usually causes huge issues with end users trying to do presentations etc. or get on with their work.

Scheduled scans on servers makes sense as it is very easy to choose a time within a maintenance window after hours where the scan will not impact performance.
You just need to ensure that the scan does not interfere with backups or other maintenance tasks.