Symantec Endpoint Protection client scheduled scans are not deleted when the user is deleted.

book

Article ID: 157521

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The Symantec Endpoint Protection (SEP) client continues running scheduled scans for user accounts after the accounts are deleted from the computer.
 

Cause

This happens when a scheduled scan was configured with the Perform this scan even when no users are logged in option selected. This option is enabled by default.

Resolution

This is the expected behavior of scheduled scans on the SEP client. To prevent scheduled scans from running when the user who created them is not logged in to the computer, the scans must be configured with the Perform this scan even when no users are logged in option deselected.

If you wish to delete a user who scheduled scans with this option enabled, you must first delete the scans scheduled by that user.

If a user is deleted without removing the scheduled scans from the SEP client UI, you must manually delete the scheduled scans from the Windows registry. The registry key which holds this information is:

  • (32-bit computers) HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\<User SID>
  • (64-bit computers) HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\<User SID>

Note: These registry keys are protected by Tamper Protection. Tamper Protection must be disabled to remove these registry keys.