Some applications or file shares are not able to function normally after installing Symantec Endpoint Protection with AV/AS feature and the issue is resolved if File System Auto-Protect (AP) is disabled. It may be required for some conditions or situations that you to disable the "deferred scanning" feature in Auto-Protect to either work around a known issue, to test a specific condition, or to alter the timing of file scans by Auto-Protect.
There are a variety of conditions where disabling this feature may be used and implemented as a work around or isolation test for when the issue is resolved or does not reproduce when Auto-Protect is disabled. Some examples may include and are not limited to only these examples:
Timing issue can occur in some situations due to a race condition between an application and the File System Auto-Protect
Encryption driver doesn't support decrypting the file when opened with READ_ATTRIBUTES access
File share performance degradation or hang experienced when OPLOCK is necessary
Errors during compiling referencing "Access is Denied" resulting in build failures
Auto-Protect (AP) optimizes its scan based on I/O & CPU overheads. The AP Deferred Scan feature is utilized when high disk I/O is happening in a system (for example the copying of large files) or in the case of re-scanning a file after definition update. While copying large number of files it puts files in a queue which are not getting accessed for immediate READ/EXECUTE action. Scan thread picks files from the queue & scan is performed on them as early as possible. If any process tries to read/execute file which is already there in queue, then it gets scanned immediately for security reasons.
By default the Deferred Scan feature is Enabled and it will delay the scan. To disable the Deferred Scan feature:
Disable Tamper Protection.
Create registry key to disable this option.
Click Start > Run
Type in: regedit and click OK
Navigate to: "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan" (32 bit Operating System) or “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan” (64 bit Operating System)
Click Edit > New > DWORD Value
Name the new value: DeferredScanning
In the Value data field add “0” (1 = on, 0 = off)
Close the Registry Editor window.
Enable Tamper Protection again.
Reboot the machine.
Imported Document ID: TECH224108
Subscribing will provide email updates when this Article is updated. Login is required.