To check the scan status (running, done, aborted, etc...) of a Symantec Endpoint Protection (SEP) client remotely or with a custom script, there is a registry key that stores a numeric value indicating the scan status.
The registry key name and location is:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\GlobalScanStatus
on 64 bit Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\GlobalScanStatus
The possible values and the respective descriptions of this key are:
0 UNKNOWN 1 Scan starting 2 Scan started 3 Scan stopping 4 Scan done 5 Scanning folders // indicates that we're doing a pre-scan count of directories (and files?) that we'll be scanning 6 Scanning boot sector 7 Scanning memory 8 Scanning files 9 Scan Never Run 10 Scan Aborted 11 Scan is queued 12 Scan delayed 16 Scan suspended 17 Scan resumed 13 Scanning for in-memory risks 14 Scanning system loadpoints 15 Scanning for in-memory risks 18 Performing enhanced scan 19 Scanning memory and system loadpoints for risks 20 Scanning for in-memory security risks 21 Scanning for in-memory security risks 22 Scanning memory, loadpoints, and security risks