search cancel

Endpoint Protection 12.1.5 and newer "Scheduled Scan" does not suspend scans on time when using "Best Application Performance" scan tuning option

book

Article ID: 162497

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After upgrade to Symantec Endpoint Protection 12.1.5 and newer, "Scheduled Scans" do not honor the scan duration policy setting "Scan for up to: x hours" when configured for "Best Application Performance" scan tuning option.  The scheduled scan will start on time.  During the scheduled scan run Endpoint Protection detects a non-idle system and throttles or sleeps the scan based on the configured tuning option set in the Advanced Scanning Options of the Scheduled Scans policy.  Eventually the scan will suspend. 

For example, with a scan duration set for "Scan for up to: 3 hours" on a system that has constant application, disk, or user activity, the scan will detect this activity and throttle or sleep the scan.  This means that if a computer is busy, the scan will delay for 3 seconds (3000ms).  Endpoint Protection will continue to check if the computer is busy every 3 seconds.  If the computer remains busy, the scan can be delayed for up to 8 hours.  Eventually, the scan reaches the max sleep interval of 8 hours and runs as "Best Scan Performance" until it completes the scan. However at this 8 hour mark, Endpoint Protection determines that it is past the max scan duration of 3 hours and properly suspends the scan.  This is not the expected behavior, the scan should have suspended 3 hours into the scan, before the 8 hour mark.

SEP AV Logs
10/12/2015 10:00:02 AM    Scan Started        Scheduled scan    administrator    Log    Scan started on all drives and all extensions.
10/12/2015 6:02:59 PM      Scan Suspended    Scheduled scan    administrator    Log    Scan Suspended:  Risks: 0   Scanned: 462

VPDebug Log
09:49:55.836599[_3516][_6012]|GRC: Read: ScanDuration=D3600​
09:49:55.836942[_3516][_6012]|GRC: Read: @Name=SDaily Full Scan
10:00:02.421680[_3516][_3844]|Scan started at Mon Oct 12 10:00:02 2015
10:01:02.659742[_3516][_3844]|ScanThrottling: IO throttling the scan for 3000 ms. Disk latency = 0.0631s
10:01:05.665758[_3516][_3844]|ScanThrottling: Resuming the scan (Disk latency = 0.0000s)
10:04:12.906397[_3516][_2884]|ScanThrottling: User transitioned from idle to not-idle
10:04:13.448802[_3516][_3844]|ScanThrottling: User is not Idle. Sleeping 3000 ms for the Best Application Performance scan.
.
.
.
18:00:33.298584[_3516][_4304]|CUserTimeWaitableEventHandler: signaling event handle 0x00001910 (ScanUnthrottleReached)
18:00:34.294882[_3516][_3844]|ScanThrottling: Past unthrottling threshold. Continue to scan.
18:02:59.219934[_3516][_3844]|CResumableScanSink::CalculateSuspendTime(): MinOfDay = 600, DayOfWeek = 0, DayOfMonth = 0, Duration = 3600, Suspend at Mon Oct 12 11:00:00 2015
18:02:59.606042[_3516][_3844]|Suspended scan on the directory: \\?\C:\

Resolution

This issue is fixed in Symantec Endpoint Protection 12.1.6.4 (RU6 MP4).  For information on how to obtain the latest build of Symantec Endpoint Protection, read TECH 103088: Obtaining an upgrade or update for Symantec Endpoint Protection or Symantec Network Access Control.