Check the current scan status of an Endpoint Protection Windows client using remote tools

book

Article ID: 179001

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

In some cases, you may want to use a third-party solution to gather information on the scan status of your Windows endpoints. This information is stored in the Windows registry and can be accessed remotely using the appropriate Windows credentials.

Environment

All supported Microsoft Windows platforms

Resolution

To check the scan status (running, done, aborted, etc...) of a Symantec Endpoint Protection (SEP) client remotely or with a custom script, there is a registry key that stores a REG_DWORD value indicating the scan status.

 

The registry key name and location is:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\GlobalScanStatus

on 64 bit Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\GlobalScanStatus

 

The possible values and the respective descriptions of this key are:

0 UNKNOWN
1 Scan starting
2 Scan started
3 Scan stopping
4 Scan done

5 Scanning folders // indicates that we're doing a pre-scan count of directories (and files?) that we'll be scanning

6 Scanning boot sector
7 Scanning memory
8 Scanning files

9  Scan Never Run
10 Scan Aborted
11 Scan is queued
12 Scan delayed
16 Scan suspended
17 Scan resumed

13 Scanning for in-memory risks
14 Scanning system loadpoints
15 Scanning for in-memory risks
18 Performing enhanced scan
19 Scanning memory and system loadpoints for risks
20 Scanning for in-memory security risks
21 Scanning for in-memory security risks
22 Scanning memory, loadpoints, and security risks