Symantec scanning workstations?? Not so sure.

We are running Symantect on our server.  I know for a fact that our anti-virus definitions are being updated daily or as needed.  I see that scan are set to run on each workstation from the server side software.  However, it appears that it's only scanning when they log in, and when I view their history on their local desktops it shows a 'defwatch scan.'  I looked up defwatch on and it appears that it's only scanning memory, for spyware and adware.  This scan takes less than 1 minute.

a.  Shouldn't there be a scan run on boot sector at least?  How can I set that on my server side software?  I do not see the option anywhere.
b.  Once a week?
c.  I'd like to view the logs of each to make sure a full scan was run.
d. Do they need to be logged out, programs closed, rebooted or what?

I'm not even sure I'm getting a full scan on my server so I'd like to check that too.


texastwostep >>
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


You don't mention which version of Symantec A/V you're using but, if it's one of the later versions the following article describing the QuickScan technology may be of use.  QuickScan scans just the files currently loaded in memory and "common virus and security risk loading points" 

The same page also details how to disable this functionality.

texastwostepAuthor Commented:
Maybe i didn't phrase my question correctly.

What I want to know is:
Should I be scanning for more than just those files currently loaded in memory?
Should I do a full scan once a week?

We are behind a Firewall.  Using version 10.0.


The QuickScan technology (as described via the link in my first post) is designed to avoid having to do a 'full' scan each time.

It could be seen to work as follows perhaps ... as new virus definitions arrive, QuickScan 'knows' the machine is already clean (from the last full / quick scan and the real-time protection) and will therefore just do a 'quick scan' of the relevant Registry/File 'entry points' for the NEW viruses/malware in the latest definitions.  (Bear in mind this is probably an over-simplistic view of what actually happens in real-life!)

However, to answer your second point... definitely 'Yes' - it's good practice to do periodic full scans of all your systems - how often really depends upon the other (boundary) defences you have in place perhaps, how much impact the full scan has on the computer/user and how paranoid you are!  However, a weekly scan is probably a good maximum period between scans.

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

texastwostepAuthor Commented:
thank you.  any way to view a log on the server or workstation to see if there were any 'things' that stood out?  I am really having a problem with Symantec!
Defwatch scan is also the scan that runs after a virus definitions update.  What happens is after a virus def update defwatch kicks in and scans the quarantine to see if it can repair any of the viruses it caught.  Since most all viruses no days are purely viral code they will never be repaired.  I would recommend disabling defwatch scan alltogether.

Open the Symantec System Center
unlock your server group and right click your primary server
go to all tasks-->Symantec Antivirus-->Quarantine Options
Under the part that says "when new virus definitions arrive"
set it to do nothing

If you would like to view the logs of a server
in the Symantec System Center
right click the server and all tasks-->Symantec Antivirus-->logs and then which ever log you would like to view

If you want to look at the logs of a client individually you have to do a couple of things first

In the Symantec System Center
click tools-->ssc console options
go to the client display tab
check the boxes and click apply
now you will see all of the clients and be able to right click on them and all tasks-->Symantec Antivirus-->logs same as the server

give fostejo credit as the quick scan will show as a defwatch scan as well.

If you check your logs you will also see that there is a defwatch scan corresponding to every single liveupdate definition update.

Hope this helps friend!
if you want to test the virus scans effectiveness i would suggest using the eicar test virus it is a fake virus used for testing purposes

second most virus scans cant run unless someone is logged in that means you need to set the scan time when people will likelly be loged on (which might aggrevate people because the computer just slowed down) or set it up to process the scan X amount of hours after missed scan this would allow you to do a first thing in the morning scan when people are still getting there second cup of coffee

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
texastwostepAuthor Commented:
I see on my server it is only running defwatch several times a day.  Is that sufficient?  thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.