You would like to know the expected behavior and purpose of the Active Scan feature in Symantec Endpoint Protection (SEP).
Note: Legacy versions of SEP called this a Quick Scan instead of an Active Scan.
The Active Scan in Symantec Endpoint Protection (SEP) provides a way to quickly check a computer for common malware infections without scanning the entire computer. The exact locations checked change over time based on information in the SEP client Virus and Spyware Protection definitions.
By default Active Scans use the Virus and Spyware Protection engine to check 3 major locations: