search cancel

Scheduled scans do not start as set by Policy on some Endpoint Protection clients.

book

Article ID: 162837

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Some Endpoint Protection (SEP) clients report an old last scan date and scheduled scans do not start as planned in the Virus and Spyware Protection policy.

The GUI shows Last Scan at an old date while the Next Scheduled Scan seems planned as per policy.
Based on the below registry REG_DWORD it seems that the last scan started as planned by policy.

KEY: HKLM\software\wow6432node\symantec\symantec endpoint protection\av\localscans\[Generally the first key. A series of letters and numbers that correspond to the ScanGuidID]\schedule
Value REG_DWORD: laststart

N/A

Cause

The below registry REG_DWORD shows a date set in the past.

KEY: HKLM\software\wow6432node\symantec\symantec endpoint protection\av\localscans\[Generally the first key. A series of letters and numbers that correspond to the ScanGuidID]\schedule
Value REG_DWORD: nextscanafter

Resolution

  1. Back up the Windows Registry before making any changes.
  2. Disable Tamper Protection as per http://www.symantec.com/docs/TECH192023.
  3. If open, exit the SEP GUI.
  4. On Windows go on Start > Run > enter the following command without quotes: “smc -stop”.
  5. Open Regedit and modify the below registry value. The value is hexadecimal and should represent the next scan date and time set in the policy. You can copy it from a machine that has no issue or you can convert it on http://www.epochconverter.com.

    KEY: HKLM\software\wow6432node\symantec\symantec endpoint protection\av\localscans\[Generally the first key. A series of letters and numbers that correspond to the ScanGuidID]\schedule
    Value REG_DWORD: nextscanafter
     
  6. Exit Regedit.
  7. On Windows go on Start > Run > enter the following command without quotes: “smc -start”.
  8. Wait until the next scheduled scan. It should happen as planned.