search cancel

Endpoint Protection deferred scanning may result in delay between file write and risk detection

book

Article ID: 163813

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

SEP (Symantec Endpoint Protection) "deferred scanning" feature may result in delay between file write and risk detection.

Cause

SEP's antivirus/antispyware includes a "deferred scanning" feature designed to preserve system performance in the case of large disk I/O operations during file WRITE operations for large files or many different files, or in the case of re-scanning a file after definition update. 

Resolution

It is important to keep in mind that these deferred scans do not mean a decrease in security; any READ/EXECUTE operations will still trigger an immediate scan and prevent any potential risks from propagating during the wait for a deferred scan. 

However, in some scenarios a deferred scan may result in a significant delay in detection, for example when a large file or archive with many files is copied to disk without any further operations. Again, there is no need for concern as there will be immediate scans and detections if there is any attempt to manipulate the files further.

There may be situations where deferred scans are suspected of interfering with other file operations and they may be disabled for troubleshooting purposes if necessary. This is not recommended as a permanent change since it may lead to unacceptable performance during the types of operations described above. See How to disable deferred scanning in Auto-Protect for Symantec Endpoint Protection.