Symantec scanning workstations?? Not so sure.

Posted on 2006-03-21
Last Modified: 2008-01-09
We are running Symantect on our server.  I know for a fact that our anti-virus definitions are being updated daily or as needed.  I see that scan are set to run on each workstation from the server side software.  However, it appears that it's only scanning when they log in, and when I view their history on their local desktops it shows a 'defwatch scan.'  I looked up defwatch on and it appears that it's only scanning memory, for spyware and adware.  This scan takes less than 1 minute.

a.  Shouldn't there be a scan run on boot sector at least?  How can I set that on my server side software?  I do not see the option anywhere.
b.  Once a week?
c.  I'd like to view the logs of each to make sure a full scan was run.
d. Do they need to be logged out, programs closed, rebooted or what?

I'm not even sure I'm getting a full scan on my server so I'd like to check that too.


texastwostep >>
Question by:texastwostep
    LVL 10

    Expert Comment


    You don't mention which version of Symantec A/V you're using but, if it's one of the later versions the following article describing the QuickScan technology may be of use.  QuickScan scans just the files currently loaded in memory and "common virus and security risk loading points"

    The same page also details how to disable this functionality.


    Author Comment

    Maybe i didn't phrase my question correctly.

    What I want to know is:
    Should I be scanning for more than just those files currently loaded in memory?
    Should I do a full scan once a week?

    We are behind a Firewall.  Using version 10.0.

    LVL 10

    Expert Comment


    The QuickScan technology (as described via the link in my first post) is designed to avoid having to do a 'full' scan each time.

    It could be seen to work as follows perhaps ... as new virus definitions arrive, QuickScan 'knows' the machine is already clean (from the last full / quick scan and the real-time protection) and will therefore just do a 'quick scan' of the relevant Registry/File 'entry points' for the NEW viruses/malware in the latest definitions.  (Bear in mind this is probably an over-simplistic view of what actually happens in real-life!)

    However, to answer your second point... definitely 'Yes' - it's good practice to do periodic full scans of all your systems - how often really depends upon the other (boundary) defences you have in place perhaps, how much impact the full scan has on the computer/user and how paranoid you are!  However, a weekly scan is probably a good maximum period between scans.


    Author Comment

    thank you.  any way to view a log on the server or workstation to see if there were any 'things' that stood out?  I am really having a problem with Symantec!
    LVL 4

    Expert Comment

    Defwatch scan is also the scan that runs after a virus definitions update.  What happens is after a virus def update defwatch kicks in and scans the quarantine to see if it can repair any of the viruses it caught.  Since most all viruses no days are purely viral code they will never be repaired.  I would recommend disabling defwatch scan alltogether.

    Open the Symantec System Center
    unlock your server group and right click your primary server
    go to all tasks-->Symantec Antivirus-->Quarantine Options
    Under the part that says "when new virus definitions arrive"
    set it to do nothing

    If you would like to view the logs of a server
    in the Symantec System Center
    right click the server and all tasks-->Symantec Antivirus-->logs and then which ever log you would like to view

    If you want to look at the logs of a client individually you have to do a couple of things first

    In the Symantec System Center
    click tools-->ssc console options
    go to the client display tab
    check the boxes and click apply
    now you will see all of the clients and be able to right click on them and all tasks-->Symantec Antivirus-->logs same as the server

    give fostejo credit as the quick scan will show as a defwatch scan as well.

    If you check your logs you will also see that there is a defwatch scan corresponding to every single liveupdate definition update.

    Hope this helps friend!
    LVL 2

    Accepted Solution

    if you want to test the virus scans effectiveness i would suggest using the eicar test virus it is a fake virus used for testing purposes

    second most virus scans cant run unless someone is logged in that means you need to set the scan time when people will likelly be loged on (which might aggrevate people because the computer just slowed down) or set it up to process the scan X amount of hours after missed scan this would allow you to do a first thing in the morning scan when people are still getting there second cup of coffee

    Author Comment

    I see on my server it is only running defwatch several times a day.  Is that sufficient?  thanks.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now