Differences in Differential and Incremental scans in DLP
search cancel

Differences in Differential and Incremental scans in DLP


Article ID: 160064


Updated On:


Data Loss Prevention Network Discover Data Loss Prevention Endpoint Discover Data Loss Prevention


What is the difference between a Differential Scan and a Incremental Scan and what DLP components support which?


There are two primary types of what would be considered partial scans that Symantec DLP can do for Network Discover and Endpoint Discover. These scans let you optimize scan performance by scanning only new or modified items.

1. Incremental Scan - Incremental scans are supported by a standard File System scan, as well as Sharepoint scan. An incremental scan keeps track of the items that have been scanned. Thus if the scan is interrupted for any reason, it will pick the scan back up at where it left off. If files, shares, or other items are missed because they are inaccessible, the next incremental scan automatically covers the missed items. Subsequent scans will scan all items that have not previously been scanned, including new or modified items. The key difference with a differential scan is incremental scans do NOT require a base full scan to be complete before it can work.

2. Differential Scan - Differential scans are supported by Lotus Notes scanning, Exchange scanning, and a Endpoint Discover scan. A differential scan REQUIRES a complete full scan to use as a base scan. This full scan will record a time stamp for evey file scanned. All subsequent differential scans will scan all items that have been added or modified since the time stamp of the most recent full (base) scan completed. The next full scan moves the base line differential scans use to that time stamp. No differential scan can be done if there is no completed full scan has previously been done.

In the case of a Endpoint Discover differential scan; if a particular endpoint fails to complete it's first full (base) scan for some reason (including it is shutdown in the middle of the scan), the next scan that endpoint does will be another full scan. It will not be able to do a differential scan until a full scan is completed.