Scheduled scans and missed event handling in Endpoint Protection
Last Updated January 28, 2016
A scheduled scan in Symantec Endpoint Protection (SEP) starts unexpectedly and does not appear to occur within the configured Retry Interval.
Missed Scheduled Scans use the following logic to determine whether a scan was missed:
Look at the LastStart Value in the registry that contains the scheduled scan's settings. This LastStart value contains the date and time from when the last scan completed.
Based on the schedule type, set the first possible date a missed scan should run:
For weekly scans the first possible date would be: LastStart + 7 Days
For daily scans the first possible date would be: LastStart +1 Day
Add the Retry Interval to the first possible date to calculate the Missed Event Window. For example, if the Retry interval is configured to be 3 days for a weekly scan:
LastStart + 7 Days + 3 Days
In the following examples a Weekly scan is configured to run Tuesdays at 00:30 with no Randomized Scan times and a Missed Scheduled Scan Retry Interval of 3 days.
The calendar entries illustrate what the Missed Event Window will be when a scheduled scan does or does not run.
In this first example, the machine is switched off a week after the first scheduled scan ran on 22 November. It is switched back on within the Missed Event Window timeframe on 1 December.
It is also switched on when the next scheduled scan is supposed to take place on Tuesday 6 December. This causes the potential Missed Event Window calculated after the 1 December scan to be reset, so no further scans will occur that week:
In the example below, the machine was not switched on in time on Tuesday 6 December, the Missed Event Window calculated from the last scan on 1 December still applies in this case.
If the machine is left switched on from Tuesday 6 December onwards, the next scan will occur on Thursday 8 December.
If on the other hand, the machine is switched off on Tuesday 6 December, the next scan will occur whenever it is switched back on within the Missed Event Window: Thursday 8 December - Sunday 11 December.
So if the machine is only switched back on on Saturday or Sunday before 15:54:21 the Missed scheduled scan will run. Since Saturday and Sunday are 4 and 5 days later than Tuesday, this could be perceived as the Missed Event scan starting outside of the 3 day retry interval.
There are some pitfalls when trying to test these missed events by manipulating the system time, that could produce unexpected results:
Modifying an existing scheduled scan that has run to completion in the past: The last recorded scan time will be used when the missed event calculation occurs, potentially skewing the results.
LastStart value is empty: This can happen when a scan is scheduled, but the machine is shut down, or the system time has changed before the first scheduled scan was allowed to run and complete. The missed event calculation deals with empty LastStart values in two ways:
Verify when the scheduled scan was created. If the "Created" value is in a certain timeframe in the past, assume that the scan was missed and run it as missed event. This timeframe varies. For weekly scans a Created time dating 4 Weeks before the system time triggers the Missed Event Scan.
If the "Created" value is "recent" a Missed Event is not triggered. The scan will run at the next scheduled time.
Imported Document ID: TECH175447
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe