search cancel

Endpoint Protection for Mac may not accurately report scheduled scans to the Manager

book

Article ID: 164168

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

SEP (Symantec Endpoint Protection) for Mac may not accurately report scheduled scans to the SEPM (SEP Manager). The following results may be seen in SEPM reporting or logging:

  • Several "started" events but duration and risk detection counts are all zero
  • One or more "started" events but no corresponding "completed"
  • "Canceled" for unknown reasons (scan was not canceled as far as user or administrator knows).

Cause

These symptoms may be partially due to "Enable idle-time scan" in Mac scan policy configuration. Idle-time scans pause whenever system becomes active and resume once system goes idle again. Every time scan starts/resumes, "scan started" event is logged erroneously. This is fixed in SEP 14 MP1 for Mac.

If the SEP SymDaemon process stops gracefully (e.g. as part of a normal OS restart or shutdown) a running scan should be reported at SEPM as "canceled". If SymDaemon crashes or is force-stopped, the scan status will report a "success" in client GUI and remain "started" in SEPM logs with no updated statistics (zero duration, risks, detections, etc).

Be aware also that disabling "Allow scan cancel" (in the Mac scanning common settings at the SEPM) will only disable the pop-up that allows end users to cancel a scan that is about to begin; once a scan starts, end users can always open scheduled scans in SEP client GUI and pause or stop a running scan.

Resolution

Upgrade to SEP 14 MP1 for Mac, to address the symptom of idle-time scanning logging multiple "start" events at the SEPM with empty statistics.

With SEP 14 MP1 for Mac in place, a "scan started" event logged at the SEPM with no "completed" status after a sufficient period of time is a likely indicator that the SEP process has crashed during the scan and should be investigated as a separate technical support case.