How can I stop an unwanted scan on a Symantec Endpoint Protection (SEP) 12.1 client?
Last Updated May 06, 2013
A client is upgraded from Symantec Endpoint Protection (SEP) 11.0 to 12.1 and there are scans running at seemingly random times. These scans are not in the SEP client interface. If you run the SymRmvScan tool, there is no change.
Here are the steps to stop the unwanted scans.
Open SEP client and delete all the scans in the Scan for Threats section by right clicking on each scan and selecting Delete.
In the Change Settings section of the SEP client, click on the Configure Settings button of Client Management area then on the Tamper Protection tab. Uncheck the top checkbox "Protect Symantec security...". If it is on you will not be able to change the Enabled key in step 4.
Go to Start/Run and enter regedit. When it opens, select Edit/Export then save a backup with a name like Regeditbackup or similar.
In Regedit select Edit/find and in the find dialog box enter MinOfDay. This is a Key that is used by Symantec scans. If the found MinOfDay is in a hive named Liveupdate select Edit/Find, Next (or press F3) to go to the next key.
If the found MinOfDay is in in a hive named LocalScans then you need to find the key Enabled it is a couple keys above MinOfDay. Open this key by double-clicking it. the value 1 will be selected, change the 1 to a 0 and click OK.
Select "Edit/Find Next (or press F3) and repeat step 5. After you change the Enabled key repeat this step until you get back to the first Enabled key that is already set to 0 or is the LiveUpDate key). Close Regedit.
Re-open the SEP client and click Create a New Scan in the Scan for Threats section. Make it an active scan and make it run every day sometime during the night.
If you were running Tamper Protection previously (you should be), In the Change Settings section of the SEP client, click on the Configure Settings button of Client Management area then on the Tamper Protection tab. Check the top checkbox "Protect Symantec security...". Click Ok to save changes.
Windows XP, SEP 12.1 self-managed/unmanaged Small Business Edition (SBE) client, also tested on 12.1 Enterprise Edition (EE).
Also tested on managed clients, Just note the time of day that the Symantec Endpoint Protection Manager (SEPM) scan should run and leave that one enabled
(ex.: SEPM Scan should run at 12:30AM, MinOfDay value=30, the scan is set to run at 12:30AM).
Imported Document ID: TECH171788
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe