A self-managed ("unmanaged") Symantec Endpoint Protection (SEP) 12.1 client is running a scan at the same time every day, even when there are no scans listed under "Scan For Threats".
The default scheduled scans have been deleted from the SEP client, but there are still entries for these scans in the Windows registry. These registry listings cause these scans to run.
There are several possible solutions.
Solution 1: A Fresh Install
Uninstalling and reinstalling the SEP client will almost always solve the issue.
In some instances, uninstalling and reinstalling the SEP client will not solve the issue and the scheduled scan entries can remain in the registry causing the scans to still run.
These registry entries will need to be removed manually.
Solution 2: Removing Scheduled Scans Manually From The Registry
- First, disable Tamper Protection on the SEP client.
- Open the SEP client.
- Click "Change Settings".
- Client Management > Configure Settings.
- Tamper Protection > Untick “Protect Symantec security software from being tampered with or shut down”.
- Next, it would be best practice to backup the registry before continuing - support.microsoft.com/kb/256986
- Locate scheduled scans in the registry.
- Open the registry start >run >regedit
All the scheduled scans are stored in:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\S-1-5-21-XXXXXXXXX\Custom Tasks
Or for 64bit machines:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\S-1-5-21-XXXXXXXXXX\Custom Tasks
In the screenshot below there are 3 scheduled scans highlighted (Each one of the highlighted folders is a scheduled scan).
- Identify Default Scans And Customer Created Scans.
To find the scans that were purposely scheduled, if any, first get the "Scan Name".
- Open the SEP client.
- Click "Scan For Threats".
- Note the "Scan Name" of any custom created scans.
- To find the particular scan in the registry, click each of the highlighted scan folders and check the "Scan Name" which will be in the key StatusDialogTitle.
This should match the "Scan Name" in the SEP client.
The other two folders are the default scans which were deleted from the client but didn't get deleted from the registry; these entries can now be deleted manually.
All the unscheduled scans are now removed and the scans that remain have been scheduled by the users.
- Once these registry entries have been removed, open the SEP client and enable "Tamper Protection" again.