How to disable deferred scanning feature in Auto-Protect.

book

Article ID: 161080

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Some applications or file shares are not able to function normally after installing Symantec Endpoint Protection with AV/AS feature and the issue is resolved if File System Auto-Protect (AP) is disabled.  It may be required for some conditions or situations that you to disable the "deferred scanning" feature in Auto-Protect to either work around a known issue, to test a specific condition, or to alter the timing of file scans by Auto-Protect.

 

Cause

There are a variety of conditions where disabling this feature may be used and implemented as a work around or isolation test for when the issue is resolved or does not reproduce when Auto-Protect is disabled.  Some examples may include and are not limited to only these examples:

  • Timing issue can occur in some situations due to a race condition between an application and the File System Auto-Protect
  • Encryption driver doesn't support decrypting the file when opened with READ_ATTRIBUTES access
  • File share performance degradation or hang experienced when OPLOCK is necessary
  • Errors during compiling referencing "Access is Denied" resulting in build failures

Resolution

Auto-Protect (AP) optimizes its scan based on I/O & CPU overheads. The AP Deferred Scan feature is utilized when high disk I/O is happening in a system (for example the copying of large files) or in the case of re-scanning a file after definition update. While copying large number of files it puts files in a queue which are not getting accessed for immediate READ/EXECUTE action. Scan thread picks files from the queue & scan is performed on them as early as possible. If any process tries to read/execute file which is already there in queue, then it gets scanned immediately for security reasons.

By default the Deferred Scan feature is Enabled and it will delay the scan. To disable the Deferred Scan feature:

  1. Disable Tamper Protection.
  2. Create registry key to disable this option.
  3. Click Start > Run
  4. Type in: regedit and click OK
  5. Navigate to:
    "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan" (32 bit Operating System) or “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan” (64 bit Operating System)
  6. Click Edit > New > DWORD Value
  7. Name the new value: DeferredScanning
  8. Open DeferredScanning
  9. In the Value data field add “0” (1 = on, 0 = off)
  10. Click OK
  11. Close the Registry Editor window.
  12. Enable Tamper Protection again.
  13. Reboot the machine.