ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Symantec Endpoint Protection: Macintosh "Scan Mounted Disk Details" and Auto-Protect Performance

book

Article ID: 161573

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

On Macintosh systems, removable volumes such as USB drives, CD/DVDs, etc. are referred to by Symantec Endpoint Protection as "mounted disks". SEP AP (Symantec Endpoint Protection Auto-Protect) includes configurable scan preferences for such volumes.

The behavior of such "mount scans" has changed between SEP versions, and its impact on SEP performance is not always clear.

 

SEP "Mount Scans" may interfere with Mac OS X performance.

Resolution

The following points and considerations may be observed for SEP Macintosh "Mounted Disk" scans.

  1. AP in all SEP versions will always performed a "scan on write" for any file on any volume despite any preferences configured for mounted disks. SEP Macintosh File and Folder exceptions apply to this AP mode for any volume. NOTE: SEP Macintosh AP does not scan network shares.
     
  2. In SEP 12.1 RU3 and older, AP will also perform an immediate full scan of selected volume types as soon as they are mounted. SEP Macintosh File and Folder exceptions do not apply to these full mount scans.
     
  3. In SEP 12.1 RU4 and newer, AP will not perform a full scan of volumes when they are mounted. Instead, in addition to the default AP "scan on write" mode described in 1.) above, AP will also perform a "scan on read" for files on selected removable volume types. This is the only time time that SEP Macintosh AP will perform a "scan on read".  SEP Macintosh File and Folder exceptions do not apply to this scan but do continue to apply to "scan on write".
     
  4. Performance considerations: to improve performance, various removable volume types may be de-selected in SEP AP "Mounted Disk" options, with the assurance that the default AP mode described in #1 above is always active. For example, it shouldn't be necessary to scan a Blu-ray movie as it is playing ("scan on read"). And risks on a removable thumb drive might not be scanned on read but will be prevented from spreading by the "scan on write".

 


Applies To

Mac OS X

Symantec Endpoint Protection 12.1