Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Users are able to circumvent the administartor-define (weekly) scans

  • 1.  Users are able to circumvent the administartor-define (weekly) scans

    Posted Dec 02, 2009 02:36 AM
    We have configured a policy on our SEP management server to enforce a weekly scan (Administrator-define scan) of all our clients.  We have disabled the user’s ability to stop the scan, but have allowed them to pause and snooze the scan for a pre-determinate time.  However, users are able to circumvent the weekly scans by either rebooting their computers or logging off as the scan starts.
     
    The scan aborts and the SEP management just records that the last scan date of when the scan started. Hence, on the SEP management console it appears that the weekly scan has been run.
     
    This is a major compliance issue and basically defeats the purpose of the administrator-define scan.  We have contacted Symantec supported and they have indicated there is no way to resume a scan if it’s aborted in this way and if we wanted this feature, we should summit an enhancement request.
     
    Is it possible to implement an enhancement to resume the weekly (Administrator-define) scans after a reboot or when a user logs back in.  Is it also possible for the SEP management console to indicate the status of a scan and maybe provide some additional information, ie. the status of the scan (eg. running, aborted, paused, snoozed, completed, etc.) what time the scan started, when was it passed, snoozed, etc.  This addition information should be easily viewable (summarized and/or in detail form) via the SEP management console and it should also be possible to generate reports/export the details.


  • 2.  RE: Users are able to circumvent the administartor-define (weekly) scans

    Posted Dec 02, 2009 02:51 AM
    I think the best way to solve this issue is remove the option for showing the scan progress to the user for this
    1 On the Antivirus and Antispyware Policy page, click Administrator-defined
    Scans.
    2 On the Advanced tab, under Scan Progress Options, click do not Show scan progress
    or Show scan progress if risk detected.
     


  • 3.  RE: Users are able to circumvent the administartor-define (weekly) scans

    Posted Dec 02, 2009 02:58 AM
    Login to SEPM
    Go to Monitors -----> Logs
    Select log type as scan  and create report
    It will give the informations of scan completed canceled etc..


  • 4.  RE: Users are able to circumvent the administartor-define (weekly) scans

    Posted Dec 07, 2009 09:34 AM

    Hidding the scan is not very pratical.  We have allowed users to pause and snooze scan just in case they need to preform demos, or business critical tasks.

    It's also too late to do this as most users know when the weekly scan are run, hence they still know how to circumvent it.

    PS - If a user computers runs slow all of a sudden, most user's reaction is to reboot anyway!!



  • 5.  RE: Users are able to circumvent the administartor-define (weekly) scans

    Posted Dec 07, 2009 09:45 AM
    Thanks for the info.  However, there is not enough information for us to easily identify and group all the offenders.  We have users/offices all over the world.  The report listed over 340 computers that cancelled the scan for the last week.

    Basically, the users should not be able to circumvent the weekly scans.  The scan should continue after the computer reboots or logs back in.


  • 6.  RE: Users are able to circumvent the administartor-define (weekly) scans

    Posted Feb 16, 2010 12:22 PM
    So, how do you stop this? We have the scan policy set so users can only pause and snooze scans because this is necessary, but they are finding ways to completely cancel scans. Maybe they are just going to the Task Manager and killing the process. Is there some way to prevent this, have the scan restart itself automatically if stopped or at least get an email alert whenever a scan is canceled?


  • 7.  RE: Users are able to circumvent the administartor-define (weekly) scans

    Posted Feb 16, 2010 04:14 PM
    As long as you allow users to shutdown and/or restart, it seems you will have cancelled/incomplete scans.  Unfortunately SEP is not smart enough to pick up where it left off in the case of a shutdown/restart.  As the years go by, users are getting smarter and smarter about things like this, so they *will* take advantage of it.


  • 8.  RE: Users are able to circumvent the administartor-define (weekly) scans

    Posted Feb 16, 2010 04:36 PM
    So, then is there some way to get an email alert when a scheduled scan is cancelled or doesn't complete for any reason?


  • 9.  RE: Users are able to circumvent the administartor-define (weekly) scans

    Posted Feb 16, 2010 04:45 PM
    Not a highly technical suggestion, but one that seems to work for me; 
              * Set Admin. Scan to "do not Show scan progress" 
              * Schedule scans to occur over the lunch hour.

    If there is a way for users to circumvent a process, they of course will.  This seems to have the least impact on users and best compliance in my neighborhood.


  • 10.  RE: Users are able to circumvent the administartor-define (weekly) scans

    Posted Feb 16, 2010 05:25 PM
    Scans are scheduled to run overnight, but sometimes they are missed when the computer or laptop is turned off or removed. People take lunches at different times and the scan can take hours to complete, so schedule at "lunch" is not an option. They need to be able to pause or snooze the scan, so "do not show scan process" is not an option. If they cancel the scan instead of pausing or snoozing it, we want to get an email alert so we can take care of that problem right away. Can this be done?


  • 11.  RE: Users are able to circumvent the administartor-define (weekly) scans

    Posted Feb 16, 2010 05:51 PM
     SEP - Reports- 
    Type - Scan
    Report - Computers by last Scan time
    Filter -Default

    Advanced
    Status- Cancelled


  • 12.  RE: Users are able to circumvent the administartor-define (weekly) scans

    Posted Feb 16, 2010 06:52 PM
    I can create that report manually every time I want to check the status, but is there some way to get an automatic instant alert notification like you get for malware infections? I'll set up a weekly scheduled report for now, but I'd like to get an instant alert instead.