Symantec scanning workstations?? Not so sure.

Posted on 2006-03-21
Medium Priority
Last Modified: 2008-01-09
We are running Symantect on our server.  I know for a fact that our anti-virus definitions are being updated daily or as needed.  I see that scan are set to run on each workstation from the server side software.  However, it appears that it's only scanning when they log in, and when I view their history on their local desktops it shows a 'defwatch scan.'  I looked up defwatch on Symantec.com and it appears that it's only scanning memory, for spyware and adware.  This scan takes less than 1 minute.

a.  Shouldn't there be a scan run on boot sector at least?  How can I set that on my server side software?  I do not see the option anywhere.
b.  Once a week?
c.  I'd like to view the logs of each to make sure a full scan was run.
d. Do they need to be logged out, programs closed, rebooted or what?

I'm not even sure I'm getting a full scan on my server so I'd like to check that too.


texastwostep >>
Question by:texastwostep
LVL 10

Expert Comment

ID: 16251559

You don't mention which version of Symantec A/V you're using but, if it's one of the later versions the following article describing the QuickScan technology may be of use.  QuickScan scans just the files currently loaded in memory and "common virus and security risk loading points"


The same page also details how to disable this functionality.


Author Comment

ID: 16251627
Maybe i didn't phrase my question correctly.

What I want to know is:
Should I be scanning for more than just those files currently loaded in memory?
Should I do a full scan once a week?

We are behind a Firewall.  Using version 10.0.

LVL 10

Expert Comment

ID: 16251946

The QuickScan technology (as described via the link in my first post) is designed to avoid having to do a 'full' scan each time.

It could be seen to work as follows perhaps ... as new virus definitions arrive, QuickScan 'knows' the machine is already clean (from the last full / quick scan and the real-time protection) and will therefore just do a 'quick scan' of the relevant Registry/File 'entry points' for the NEW viruses/malware in the latest definitions.  (Bear in mind this is probably an over-simplistic view of what actually happens in real-life!)

However, to answer your second point... definitely 'Yes' - it's good practice to do periodic full scans of all your systems - how often really depends upon the other (boundary) defences you have in place perhaps, how much impact the full scan has on the computer/user and how paranoid you are!  However, a weekly scan is probably a good maximum period between scans.

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.


Author Comment

ID: 16252294
thank you.  any way to view a log on the server or workstation to see if there were any 'things' that stood out?  I am really having a problem with Symantec!

Expert Comment

ID: 16252842
Defwatch scan is also the scan that runs after a virus definitions update.  What happens is after a virus def update defwatch kicks in and scans the quarantine to see if it can repair any of the viruses it caught.  Since most all viruses no days are purely viral code they will never be repaired.  I would recommend disabling defwatch scan alltogether.

Open the Symantec System Center
unlock your server group and right click your primary server
go to all tasks-->Symantec Antivirus-->Quarantine Options
Under the part that says "when new virus definitions arrive"
set it to do nothing

If you would like to view the logs of a server
in the Symantec System Center
right click the server and all tasks-->Symantec Antivirus-->logs and then which ever log you would like to view

If you want to look at the logs of a client individually you have to do a couple of things first

In the Symantec System Center
click tools-->ssc console options
go to the client display tab
check the boxes and click apply
now you will see all of the clients and be able to right click on them and all tasks-->Symantec Antivirus-->logs same as the server

give fostejo credit as the quick scan will show as a defwatch scan as well.

If you check your logs you will also see that there is a defwatch scan corresponding to every single liveupdate definition update.

Hope this helps friend!

Accepted Solution

soundguymike earned 750 total points
ID: 16254168
if you want to test the virus scans effectiveness i would suggest using the eicar test virus it is a fake virus used for testing purposes

second most virus scans cant run unless someone is logged in that means you need to set the scan time when people will likelly be loged on (which might aggrevate people because the computer just slowed down) or set it up to process the scan X amount of hours after missed scan this would allow you to do a first thing in the morning scan when people are still getting there second cup of coffee

Author Comment

ID: 16260353
I see on my server it is only running defwatch several times a day.  Is that sufficient?  thanks.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question