When running an on-demand scan with Symantec Endpoint Protection (SEP), the scan appears to hang after scanning specific .lnk files (i.e. shortcuts).  After this occurs, some users may also notice that the client cannot update AV definitions on the system until they reboot the system.

After the issue is observed, the VPDebug logs will show behavior such as the following, indicating that outstanding ccEraser instance is preventing definitions from unloading.

14:18:59.649340   CExclusionScanSink::OnNewFile - New File - c:\users\public\desktop\ct summation iblaze client.lnk.
14:19:03.055250    CheckScanForSchedule: checking 49617472-AC11-0112-0011-615A630DB2B0 against Tue Jul 07 14:18:02 2015 -> Tue Jul 07 14:19:02 2015.
14:19:03.055934    CheckScanForSchedule: checking 73F7FE2D-AC11-0125-00DF-D6039FB1B509 against Tue Jul 07 14:18:02 2015 -> Tue Jul 07 14:19:02 2015.
14:19:03.056537    CheckScanForSchedule: checking A3932BCD-AC11-0112-01EA-EBDE645452A2 against Tue Jul 07 14:18:02 2015 -> Tue Jul 07 14:19:02 2015.
14:19:03.056940    RunUserScans:Tue Jul 07 14:19:02 2015
14:19:03.057121    Scheduled Scan Service: Checking for scheduled scans that are due
14:19:03.057302    *** Scheduled Scan Service: Schedule Dump for Tue Jul 07 14:19:02 2015
14:19:03.057483    *** Scheduled Scan Service: Schedule dump complete ***
14:19:03.057724    CAVEngineManager::UnloadDefinitionsIfUnusedForDuration - Unable to unload engine.  Outstanding ccEraser instance exists.

It appears that the outstanding ccEraser instance is unable to end, preventing the scan from competing. The exact cause of this behavior is under investigation.

Symantec is aware of this issue and will update this document when a solution becomes available.  Please subscribe to this article to be notified of any updates.

One potential workaround to the problem is to remove the problematic .lnk file. This is usually the last file scanned according to the VPDebug log, not necessarily what the user sees in the scan UI.