You would like to know the expected behavior and purpose of the Active Scan feature in Symantec Endpoint Protection (SEP).

Note: Legacy versions of SEP called this a Quick Scan instead of an Active Scan.

The Active Scan in Symantec Endpoint Protection (SEP) provides a way to quickly check a computer for common malware infections without scanning the entire computer. The exact locations checked change over time based on information in the SEP client Virus and Spyware Protection definitions.

 By default Active Scans use the Virus and Spyware Protection engine to check 3 major locations:

• Memory
  
  Active Scans check all running processes and their loaded modules (.dll,.ocx, etc).
   
• Common infection locations
  
  Active scans check the current active boot sector, all file system locations that are referenced by common load points in the Windows registry, including HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
   
• Well-known virus and security risk locations
  
  Active scans check file system and registry locations associated with known malware. The list of locations scanned changes based on information in the client Virus and Spyware Protection definitions.