Endpoint discovery scans keep running as full instead of differential
Article ID: 170067
Data Loss Prevention Endpoint Discover
When running an enpoint discover scan the scan will run as the scan type "Full" instead of "Differential" even when the option "" is checked
This is caused when there has not been a completed full scan. Often times this happens when a full scan can not be completed all of the way because some of the clients do not check in before the time out or one of the clients is permenantly offline. In order for a full scan to occur there must be at least one succesful full scan.
There are three solutions to this issue.
1. Ensure that all of the clients are online for the scan and remove any offline agents. This solution is usually only feasable for smaller installs with fewer clients.
2. Upgrade to DLP 15. In DLP 15 there is a targeting option that will allow you to target fewer agents which will allow for a small enough target which can ensure a full scan completes on all of the targeted agents. Once there has been a full scan then all of the other agents can be added to the scan and differential scans will occur as expected from agents that have had a full scan.
3. If removing inactive clients from the console and upgrading to DLP 15 are not options then you can use the following steps to workaround the issue.
Setup a new Endpoint Server
Assign the discover target to only the server from step 1
Run a scan. This scan should complete immediatly since there are no agents assigned to that server.
Edit the discover target and add any / all other endpoint servers.
Under the filter tab, check the box "
Start the scan. Let the scan run long enought that you get at least most of the active agents. If it does not complete it is ok.
Modify the discover target and uncheck "Make next scan a full scan". Then save
All subsequent scans should be differential scans. Note that if new agents come on to the network they will need a full scan before differential data is collected from them.