What are the the differences between the default settings of the "Default Quickscan", "Active Scan Upon Startup", "Defwatch Quickscan"?  How do they relate to the options listed in the user interface or scan policy?

When configuring scan policy in the Symantec Endpoint Protection Manager or through the client user interface (UI) there are 3 options

• Memory
• Common infection locations
• Well-known virus and security risk locations

These options correspond to the following in the registry on the Symantec Endpoint Protection client

• "ScanProcesses"=dword:00000001    (= "Memory")
• "ScanLoadpoints"=dword:00000001    (= "Common Infection Locations")
• "ScanERASERDefs"=dword:00000001  (= "Well-known virus and security risk locations")

These settings for the default built-in scans can be found at the following locations:

32-bit OS  HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans
64-bit OS  HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\

• "Default QuickScan Options"

• "Defwatch QuickScan Options"

• "Default Startup Quickscan Options"  ("Active Scan Upon Startup")