Endpoint Protection

 View Only

  • 1.  Unable to scan Entreprise Vault archived files with SEP

    Posted Jun 23, 2014 11:16 AM

    Hi all,

    we have a EV 8.0 archived files in File System and SEP 12.1.4.

    When i try to scan a folder containg archived files i have no scan or  recall from Vault server.

    But if i open that folder and then scan the placeholder  , SEP recalls the file and actually scans it.

    what i need is a way to scan all my files  using a drive letter scan ( incluing all vaulted files) because i need to unsure that all those files are clean.

    Does any one have any idea for this?


    Please help.

     

     



  • 2.  RE: Unable to scan Entreprise Vault archived files with SEP

    Posted Jun 23, 2014 11:19 AM

    Have you tried mapping a share to it and creating a custom scan in SEP to scan that share?



  • 3.  RE: Unable to scan Entreprise Vault archived files with SEP

    Posted Jun 23, 2014 11:27 AM

    Yes.

    i have created a New Scan with:

    • scan all types
    • scan resident portion of offline and sparses files ( Open files using backup semantics)

    In configure setting i have something like:

    • Scan when a file is accessed or modified
    • sacn when a file is backed up

     

    Please note:

    i have SEP in the file system ( the vault server is in a different machine)

     But my biggest problem is understand  why does SEP recall the files when i scan directly but no scan ou recall if a scan the folder.

     

     

     

     



  • 4.  RE: Unable to scan Entreprise Vault archived files with SEP

    Posted Jun 23, 2014 12:24 PM

    Individually scanning the files is similar to manually opening them up and looking at them.  This forces a demigration of the data AFAIK.

    From your description, the "Storage Migration" option of your scan is set to only scan what's stored locally on the machine and not demigrate the files (i.e. don't restore the archived files to their original location before scanning, and only scans what part of the file is left behind).

    I can't find any reference as to whether the "Open files using backup semantics" option is supported by EV8 for scanning without demigration.

    I'd recommend checking out the other "Storage Migration" options if I were you.  Check out SEP's help section for more info, as I think you'll have to decide on priorities shortly (storage use vs security vs speed).



  • 5.  RE: Unable to scan Entreprise Vault archived files with SEP

    Posted Jun 23, 2014 12:28 PM

    By the by, EV8 goes EOSL next year...

    http://www.symantec.com/business/support/index?page=releasedetails&key=50990



  • 6.  RE: Unable to scan Entreprise Vault archived files with SEP

    Posted Jun 23, 2014 12:59 PM

    I have try diferent option in SEP, but got the same result.
    I can't conform with a full folder scan not be able to scan the files.

    I Hope that some one can help p.e. with some change in the regedit or something like that.

    If the scan results opening file-by-file only a "feature" in the SEP wont do the same in a folder scan.

    About the EOSL.. i hope to solve my prob. before that :P

     

     

     



  • 7.  RE: Unable to scan Entreprise Vault archived files with SEP

    Posted Jun 24, 2014 03:28 AM

    I'm still not clear on what you're after tbh.  The options in the "Storage Migration" portion of the scheduled scan appears to cover off all three major options to me:

    1. Skip archived files entirely
    2. Scan archived files by demigrating them
    3. Scan srchived files without demigrating them

    Which one best matches your use case?

    More details on all the various options is available in the SEPM's help (a copy of which is below):

    Table: Storage migration options

    Option

    Description

    Skip offline files

    Specifies that if the offline bit is set, the Symantec Endpoint Protection client skips the file

    A small clock over a file's icon in Windows Explorer indicates that the offline bit is set. Any application can set the offline bit even if the file is not offline.

    Skip offline and sparse files

    Specifies that offline and sparse files are skipped

    Some applications set the file sparse bit to indicate that part of the file is not present on the disk. Some HSM products set this bit and others don't. With a sparse file, a stub of the file remains on the disk, and the majority of the file is moved to offline storage. This setting is the default.

    Skip offline and sparse files with a reparse point

    Specifies that offline and sparse files with a reparse point are skipped

    Some vendors use reparse points. Applications that use reparse points also use an appropriate device driver to manage reparse points in the files. With a reparse point, a portion of the file remains on disk, and the remainder is transparently accessed through the device driver.

    Scan resident portions of offline and sparse files

    Specifies that if the file is sparse, the Symantec Endpoint Protection client scans only the resident portion

    The Symantec Endpoint Protection client identifies resident portions of a file. The nonresident portion remains in secondary storage. Some vendors support this capability.

    Scan all files, forcing demigration (fills drive)

    The Symantec Endpoint Protection client scans the entire file, which forces demigration from secondary storage if necessary. Because the size of the secondary storage is usually greater than the size of the local volume, this setting might fill the local volume. When the local volume is full, further files that are opened for scanning might fail.

    Scan all files without forcing demigration (slow)

    Specifies that all files are scanned, without forcing demigration

    The Symantec Endpoint Protection client copies a file from secondary storage to the local hard drive as a temp file for scanning. The HSM application leaves the original file on the secondary storage.

    This method is slow and not all HSM vendors support it. Because a file is copied from secondary storage to a disk for scanning, resource demand is high. Processor and network performance might further degrade as the Symantec Endpoint Protection client detects infected content when a repair or deletion is returned to secondary storage.

    Scan all files recently touched without forcing demigration

    Specifies that all files that have been touched recently are scanned, without forcing demigration

    This option lets you specify that only the files that have been migrated recently and might still reside on faster secondary storage are scanned. This method can reduce some of the resource demand issues with the Scan all files without forcing demigration option.

    You can the scan the files that reside on faster disks, and skip demigration and scans if the files reside on slow disks. For example, files might be migrated to a remote disk after 30 days of no access. After 60 days of no access, the file is migrated to DVD-ROM or remote SAN storage. This method might still be slow because file access without forced demigration can be a slow operation.

    If you select this option, you must select the type of access and the number of days to define "recently touched."

    Open files using backup semantics

    Specifies that files be opened using backup semantics

    In some cases, using this option may allow the Symantec Endpoint Protection client to scan files without demigration. It may also allow the client to scan the stub, but not the rest of the demigrated file.

    Type of access within the number of days selected

    If you select Scan all files recently touched without forcing demigration, you must set this option. This option specifies the type of access (Accessed, Modified, or Created) and the number of days to define as "recent."


  • 8.  RE: Unable to scan Entreprise Vault archived files with SEP

    Posted Jun 24, 2014 03:54 AM

    how's the scan performance looks like ?

    I'm curious to know about the duration when recalling the File from EV archive.



  • 9.  RE: Unable to scan Entreprise Vault archived files with SEP

    Posted Jun 24, 2014 04:11 AM

    As i said before i have test all this option ( but i think that Scan all files, forcing demigration (fills drive) ) is the only that mach my cenario.

    About scan performance i will get that info asa i get the scan running throw folder scan.

     

     

     

     

     



  • 10.  RE: Unable to scan Entreprise Vault archived files with SEP

    Posted Jun 24, 2014 04:27 AM

    John, I've already posted in your thread...

    Just thought it'd be worth mentioning that EV-FAS has its own tool for demigrating files:

    http://www.symantec.com/docs/HOWTO97254