Idle-Time Scans and Missed Scans in Symantec Endpoint Protection for Macintosh
search cancel

Idle-Time Scans and Missed Scans in Symantec Endpoint Protection for Macintosh

book

Article ID: 162060

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

SEP Macintosh scheduled scans may not run when expected.

Cause

Idle-Time and hard-coded scan window for SEP Macintosh may cause scans to run at times other than scheduled.

Resolution

There is no configurable "missed scan" feature in SEP Macintosh clients as there is in Windows clients, but there is a hard-coded 10-minute scan window. When a scheduled scan is missed (i.e. due to machine being shutdown) and the client machine is powered on within 10 minutes after the scheduled time, the scan will start running.

"Enable idle-time scan" may be checked in Macintosh scheduled scan properties. When this is enabled, the scan will run only if all of the following are true:

Starting with version 14.3

  • CPU idleness > 80%
  • Battery Level > 40%
  • HIDIdleTime: no interactions with keyboard / mouse for 1 min to start scan; checking HID idleness every 5 seconds afterwards.
  • DriveStatus (Disk I/O bandwidth) < 8 MB per sec)

Starting with version 14.3 RU2

  • CPU idleness > 80%
  • Battery Level > 40%
  • HIDIdleTime: no interactions with keyboard / mouse for 1 min to start scan; checking HID idleness every 5 seconds afterwards.
  • DriveStatus (Disk I/O bandwidth) < 256MB / sec

Starting with version 14.3 RU5

  • Battery Level > 40%
  • HIDIdleTime: no interactions with keyboard / mouse for 1 min to start scan; checking HID idleness every 5 seconds afterwards.
  • DriveStatus (Disk I/O bandwidth) < 40GB / sec
  • CPU idleness - See below for scan tuning CPU scan start and also idletime scan pause requirements:


14.3 RU5 Scan start CPU idle threshold requirements

  2 Cores 4 Cores
Best Scan >50% >50%
Balanced >50% >75%
Best Application >50% >75%

For systems with greater than 4 cores, use the following equation.

Scan Tuning Cores
Best Scan 4
Balanced 2
Best Application 1

A = The number of cores per the scan tuning setting. See the chart above.  
B = The total number of cores for the system. 

100 - (( A / B) * 100%) = idleness for scan to start

As an example, Best Scan uses 4 cores and a M1 Max has 10 total cores. 

100% - ((4 cores / 10 cores) * 100%) = 60%


14.3 RU5 Scan pause CPU idle threshold requirements

  2 Cores 4 Cores
Best Scan >20% >20%
Balanced >20% >50%
Best Application >20% >50%

For systems with greater than 4 cores, use the following equation. 

N = idleness for scan to start

N - ((A / B) * 100%) = idleness threshold to trigger a scan pause.

For the M1 Max example. 

60% - ((4 cores / 10 cores) * 100%) = 20%


If any of these conditions fail (even while the scan is already running) then the scan will be paused and it will resume only if the conditions are satisfied again. If the scan is paused for more than 30 minutes then it will be canceled.

Additional Information

Reference:
Client scan performance tuning options

Powered by Wolken Software