Expected behavior of Symantec Endpoint Protection Active Scans
search cancel

Expected behavior of Symantec Endpoint Protection Active Scans


Article ID: 152066


Updated On:


Endpoint Protection


You would like to know the expected behavior and purpose of the Active Scan feature in Symantec Endpoint Protection (SEP).

Note: Legacy versions of SEP called this a Quick Scan instead of an Active Scan.


The Active Scan in Symantec Endpoint Protection (SEP) provides a way to quickly check a computer for common malware infections without scanning the entire computer. The exact locations checked change over time based on information in the SEP client Virus and Spyware Protection definitions.

 By default Active Scans use the Virus and Spyware Protection engine to check 3 major locations:

  • Memory

    Active Scans check all running processes and their loaded modules (.dll,.ocx, etc).
  • Common infection locations

    Active scans check the current active boot sector, all file system locations that are referenced by common load points in the Windows registry, including HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  • Well-known virus and security risk locations

    Active scans check file system and registry locations associated with known malware. The list of locations scanned changes based on information in the client Virus and Spyware Protection definitions.