Check the current scan status directly on an Endpoint Protection client


Article ID: 179001


Updated On:


Endpoint Protection




To check the scan status (running, done, aborted, etc...) of a Symantec Endpoint Protection (SEP) client remotely or with a custom script, there is a registry key that stores a numeric value indicating the scan status.


The registry key name and location is:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\GlobalScanStatus

on 64 bit Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\GlobalScanStatus


The possible values and the respective descriptions of this key are:

1 Scan starting
2 Scan started
3 Scan stopping
4 Scan done

5 Scanning folders // indicates that we're doing a pre-scan count of directories (and files?) that we'll be scanning

6 Scanning boot sector
7 Scanning memory
8 Scanning files

9  Scan Never Run
10 Scan Aborted
11 Scan is queued
12 Scan delayed
16 Scan suspended
17 Scan resumed

13 Scanning for in-memory risks
14 Scanning system loadpoints
15 Scanning for in-memory risks
18 Performing enhanced scan
19 Scanning memory and system loadpoints for risks
20 Scanning for in-memory security risks
21 Scanning for in-memory security risks
22 Scanning memory, loadpoints, and security risks