After upgrade to Symantec Endpoint Protection 12.1.5 and newer, "Scheduled Scans" do not honor the scan duration policy setting "Scan for up to: x hours" when configured for "Best Application Performance" scan tuning option. The scheduled scan will start on time. During the scheduled scan run Endpoint Protection detects a non-idle system and throttles or sleeps the scan based on the configured tuning option set in the Advanced Scanning Options of the Scheduled Scans policy. Eventually the scan will suspend.
For example, with a scan duration set for "Scan for up to: 3 hours" on a system that has constant application, disk, or user activity, the scan will detect this activity and throttle or sleep the scan. This means that if a computer is busy, the scan will delay for 3 seconds (3000ms). Endpoint Protection will continue to check if the computer is busy every 3 seconds. If the computer remains busy, the scan can be delayed for up to 8 hours. Eventually, the scan reaches the max sleep interval of 8 hours and runs as "Best Scan Performance" until it completes the scan. However at this 8 hour mark, Endpoint Protection determines that it is past the max scan duration of 3 hours and properly suspends the scan. This is not the expected behavior, the scan should have suspended 3 hours into the scan, before the 8 hour mark.
SEP AV Logs
10/12/2015 10:00:02 AM Scan Started Scheduled scan administrator Log Scan started on all drives and all extensions.
10/12/2015 6:02:59 PM Scan Suspended Scheduled scan administrator Log Scan Suspended: Risks: 0 Scanned: 462
09:49:55.836599[_3516][_6012]|GRC: Read: ScanDuration=D3600
09:49:55.836942[_3516][_6012]|GRC: Read: @Name=SDaily Full Scan
10:00:02.421680[_3516][_3844]|Scan started at Mon Oct 12 10:00:02 2015
10:01:02.659742[_3516][_3844]|ScanThrottling: IO throttling the scan for 3000 ms. Disk latency = 0.0631s
10:01:05.665758[_3516][_3844]|ScanThrottling: Resuming the scan (Disk latency = 0.0000s)
10:04:12.906397[_3516][_2884]|ScanThrottling: User transitioned from idle to not-idle
10:04:13.448802[_3516][_3844]|ScanThrottling: User is not Idle. Sleeping 3000 ms for the Best Application Performance scan.
18:00:33.298584[_3516][_4304]|CUserTimeWaitableEventHandler: signaling event handle 0x00001910 (ScanUnthrottleReached)
18:00:34.294882[_3516][_3844]|ScanThrottling: Past unthrottling threshold. Continue to scan.
18:02:59.219934[_3516][_3844]|CResumableScanSink::CalculateSuspendTime(): MinOfDay = 600, DayOfWeek = 0, DayOfMonth = 0, Duration = 3600, Suspend at Mon Oct 12 11:00:00 2015
18:02:59.606042[_3516][_3844]|Suspended scan on the directory: \\?\C:\
This issue is fixed in Symantec Endpoint Protection 188.8.131.52 (RU6 MP4). For information on how to obtain the latest build of Symantec Endpoint Protection, read TECH 103088: Obtaining an upgrade or update for Symantec Endpoint Protection or Symantec Network Access Control.