In some cases, you may want to use a third-party solution to gather information on the scan status of your Windows endpoints. This information is stored in the Windows registry and can be accessed remotely using the appropriate Windows credentials.
All supported Microsoft Windows platforms
To check the scan status (running, done, aborted, etc...) of a Symantec Endpoint Protection (SEP) client remotely or with a custom script, there is a registry key that stores a REG_DWORD value indicating the scan status.
The registry key name and location is:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\GlobalScanStatus
on 64 bit Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\GlobalScanStatus
The possible values and the respective descriptions of this key are:
0 UNKNOWN 1 Scan starting 2 Scan started 3 Scan stopping 4 Scan done 5 Scanning folders // indicates that we're doing a pre-scan count of directories (and files?) that we'll be scanning 6 Scanning boot sector 7 Scanning memory 8 Scanning files 9 Scan Never Run 10 Scan Aborted 11 Scan is queued 12 Scan delayed 16 Scan suspended 17 Scan resumed 13 Scanning for in-memory risks 14 Scanning system loadpoints 15 Scanning for in-memory risks 18 Performing enhanced scan 19 Scanning memory and system loadpoints for risks 20 Scanning for in-memory security risks 21 Scanning for in-memory security risks 22 Scanning memory, loadpoints, and security risks