Expected behavior of Symantec Endpoint Protection Active Scans
Last Updated December 31, 2013
You would like to know the expected behavior and purpose of the Active Scan feature in Symantec Endpoint Protection (SEP).
Note: Legacy versions of SEP called this a Quick Scan instead of an Active Scan.
The Active Scan in Symantec Endpoint Protection (SEP) provides a way to quickly check a computer for common malware infections without scanning the entire computer. The exact locations checked change over time based on information in the SEP client Virus and Spyware Protection definitions.
By default Active Scans use the Virus and Spyware Protection engine to check 3 major locations:
Active Scans check all running processes and their loaded modules (.dll,.ocx, etc).
Common infection locations
Active scans check the current active boot sector, all file system locations that are referenced by common load points in the Windows registry, including HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Well-known virus and security risk locations
Active scans check file system and registry locations associated with known malware. The list of locations scanned changes based on information in the client Virus and Spyware Protection definitions.
Imported Document ID: TECH122485
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe