Jump to content


jeffpoling

Endpoint Protection Scheduled Scan Issue

Recommended Posts

We are piloting System Center Endpoint Protection 2012 in our environment. On several of the pilot PCs, a scheduled scan runs per our antimalware policy; however, two days later, another full scan kicks off and runs through the day. Our policy is configured for a full scan to happen on Sundays at Midnight.

 

Has anyone experienced this? How do I troubleshoot why the scan is initiating outside of the parameters in the policy?

 

Thanks,

 

Jeff

Share this post


Link to post
Share on other sites

start by verifying what policy is applied to those clients, then if it's the wrong policy you need to find out why it's not applying the correct policy

Share this post


Link to post
Share on other sites

Ok. I verified in the EndpointProtectionAgent.log file that the correct antimalware policy is applying to the machines. I also looked at the MPLog*.log in C:\ProgramData\Microsoft\Microsoft Antimalware\Support. One thing that stands out in that log is a statement about "Run lost scheduled job" Here is a snip of that log:

 

**************************END RTP Perf Log*************************

 

 

Signature updated on ?Wed ?Oct ?24 ?2012 03:14:31

Product Version: 3.0.8410.0

Service Version: 3.0.8410.0

Engine Version: 1.1.8904.0

AS Signature Version: 1.139.410.0

AV Signature Version: 1.139.410.0

************************************************************

2012-10-24T08:14:31.176Z Process scan started.

2012-10-24T08:14:33.298Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)

2012-10-24T08:14:33.298Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)

2012-10-24T08:14:36.121Z Process scan completed.

2012-10-24T09:41:51.200Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) launched

2012-10-24T09:46:51.205Z AutoPurgeWorker triggered with dwWork=0x3

2012-10-24T09:46:51.205Z Product supports installmode: 2

2012-10-24T09:46:51.205Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)

2012-10-24T09:46:51.205Z Task(Scan -ScheduleJob -RestrictPrivileges) launched

2012-10-24T09:46:51.205Z Run lost scheduled job: Scan -ScheduleJob -RestrictPrivileges

2012-10-24T09:46:53.608Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)

2012-10-24T09:46:53.608Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)

 

Any thoughts on why the scheduled job would be "lost"?

 

Thanks,

 

Jeff

Share this post


Link to post
Share on other sites

were the systems off when the job was supposed to run ? anything in eventviewer ?

 

To get extensive logfiles open an administrative command prompt and CD to the following directory on the client,

 

C:\Program Files\Microsoft Security Client\Antimalware

 

and execute the following command

 

MpCmdRun.exe -getfiles

 

the log files are stored in C:\ProgramData\Microsoft\Microsoft Antimalware\Support and that directory in turn will contain a CAB file (MPSupportFiles.cab) which has several relevant log files to examine.

Share this post


Link to post
Share on other sites

Under Scheduled scans for your custom antimalware policy try disabling Force a scan of the selected scan type if client computer is offline during two or more scheduled scans. If this is set to True it will start a full scan whenever the client starts up if it has missed the last two scheduled scans. But if it happens every 2 days that is strange.

  • Like 1

Share this post


Link to post
Share on other sites

Thanks. I generated the CAB file and poured over the log files. I can clearly see the "Extra" scan kicking off, but there is absolutely no explanation as to why, I am sure I must be missing something or perhaps encountered a bug.

 

As for the state of the systems during the actual scheduled scan, they were all on and available. The client GUI showed that the last scan completed successfully and the "extra" scan kicked off any way.

 

Thanks again,

 

Jeff

Share this post


Link to post
Share on other sites

Tay, Thanks. I made that adjustment to our policy and will see if that makes a difference. I don't know why the clients would be seen as offline, but it is definitely a possibility as a cause for the extra scans.

 

Thanks again,

 

Jeff

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...