After upgrading to Symantec Endpoint Protection (SEP) 12.1 RU6 MP5, which included fix ID 3865630 ("After upgrade to SEP 12.1.5 from 12.1.2, scheduled scans take a very long time"), or higher, some systems continue to be unable to complete a full scan, whether scheduled or otherwise run, necessitating a reboot of the system. Debug logging references the message “User is not Idle.”
User is not Idle.
The problem mainly (but not exclusively) arises when, following a reboot, a user does not log in directly to a system but connects to that system using a Remote Desktop session instead.
At startup, ccJobMgr loads all existing sessions. When logging in via Remote Desktop, besides the Remote Desktop session, there are already two existing sessions: Session 0 and Session 1. On Windows Vista or higher, Session 0 is ignored by ccJobMgr. Session 1 is added into the internal sessions map to monitor and later set to active (non-idle) when ccJobMgr receives a console connection signal. As this session has never logged in and does not have idle montioring available in a user instance of ccJobMgr, it remains in that state. At this point, two sessions are present in ccJobMgrs internal map: Session 1, which is always active and Session 2, which does have idle monitoring available and correctly monitors user activity.
ccJobMgr only assumes the machine is idle when all sessions are idle. As that is never the case for Session 1, there is never any idle time for the scheduled scan.
This issue is fixed in Symantec Endpoint Protection 12.1 RU6 MP8 and 14.0 MP2. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.