About the Symantec Offline Image Scanner tool


Article ID: 153023


Updated On:


Endpoint Protection


You would like more information about and best practices for using the Symantec Offline Image Scanner tool.


Symantec Offline Image Scanner (SOIS) is a stand-alone tool that can be used to scan .vmdk files using Symantec Endpoint Protection (SEP) 12, Symantec Endpoint Protection (SEP) 11, or Symantec AntiVirus (SAV) 10 virus definitions.

The functionality of the current version of the tool:

  • Can be run on Windows to scan FAT32 and NTFS file-systems in the guest operating system
  • Can scans offline VMware images (.vmdk files only)
  • Has no dependency on any other Symantec solutions beyond virus definitions
  • Has command-line options for silent and automated operation
  • Provides detailed logging/reporting capabilities
  • Runs as a portable application and doesn't require a traditional installation

The caveats for the current version of the SOIS tool:

  • Does not support scanning snapshots, suspended images or memory dumps (.vmem files)
  • Does not support nested .vmdk files
  • Only supports scanning FAT32 and NTFS file systems
  • Is an English-only tool, but it can scan VMs with an operating system in any language
  • Runs with the privileges of the currently logged-in user, and can only scan images located in folders that the logged in user has access to; for example, SOIS is unable to scan folders such as "System Volume Information" and "Recycle Bin," which have permissions only for the SYSTEM user
  • Is compatible with virus definitions from SEP 12, 11 and SAV 10 only

Best Practices:

  • SOIS is not a substitute for a regularly updated Symantec Endpoint Protection client; install and configure a Symantec Endpoint Protection client on all virtual machines.
  • Due to limitations of SOIS, the VMWare image must be offline when the scan is run.
  • Ensure SOIS is run with the latest available virus definitions.
  • The scan is read-only and is not capable of remediating any threats detected on the VMWare image.
  • The tool can be run from a command-line or GUI as part of normal virtual machine maintenance, or in case of an outbreak.
  • Include SOIS as a part of regularly scheduled maintenance scripts/routines on offline virtual machines.
  • Isolate any infected offline virtual machines to a protected network segment (or disable networking altogether) before starting the image and performing a full scan with the installed Symantec Endpoint Protection client.

Applies To

VMDK from the following VMware platforms are supported:

  • ESX/ESXi - 3.5 or later
  • VMware workstation - 4.0 or later