Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 14349 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weekly Scan Not Happening

pdturbo80

Hi,

 

We have a decent number of machines that have not had their weekly scan. The policy is applied to scan everyone Weds at 12.00, but I can see some machines going back more than one week since they last scanned completed. Some even have no entry in the last scan completed and some go back to early 2017. Machines are rebooted fairly often.

There over 750 machines in the OU in question and most are okay and doing their weekly scans, but as mentioned others are not

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hello pdturbo80,

    Weds at 12.00
    is ambiguous     - noon or midnight. The scan is a task scheduled at the specific time. If the time is missed the scan isn't started later. Furthermore only a successfully completed scan is logged under Last scan, failures, aborts, cancels are logged as errors. If he machine is shut down before the scan completes you have no indication that it started.

    Scan starts are logged to the endpoints' SAV.txt as well as the scan's log (scanname.txt). Thus inspecting the endpoint logs should give more insight.

    Christian

  • 0 in reply to QC

    Thanks for the reply. Should the time be adjusted to say 13.00hrs? When you say logged as errors, will it only show the last successful scan time? Reason beign I have a load of machines that scanned last week-and no`t this week. Any ideas please?

Reply
  • 0 in reply to QC

    Thanks for the reply. Should the time be adjusted to say 13.00hrs? When you say logged as errors, will it only show the last successful scan time? Reason beign I have a load of machines that scanned last week-and no`t this week. Any ideas please?

Children
  • 0 in reply to pdturbo80

    Hello pdturbo80,

    should the time be adjusted
    I can't tell which time would be best in your environment [:)]

    There are basically three possible outcomes for a scheduled scan (this also applies to a Full system scan from the console):

    1. the scan successfully completes (with or without detections, with or without scanning errors) - the Last scan completed and Last scan name columns are updated accordingly
    2. the scan is cancelled by an admin on the endpoint, stops because a threat has been found in memory, encounters an internal error which causes it to abort, fails in the initialization phase - in this case the mentioned columns are not updated, the errors are reported to the console (Scanning errors under Alerts and Error Details, and in the View Computer Details pop-up)
    3. the computer is shut down before the scan completes or the computer is not running at the scheduled time - there's no indication that the scan has started or the schedule has been missed

    In case 3. detections and errors encountered during the partial scan might have been sent to the console, there is no indication though that they are related to the scan.

    As said, the endpoints' logs will have a record that the scan has been started, SAV.txt has the complete history, scanname.txt is overwritten and contains only output from the last run.

    Christian

  • 0 in reply to QC

    Hi,

    Still having issues with this. I have logged a call with Support and sent numerous files, but now they are not even responding to requests for more updates on my ticket :(

    Here is the output of the last scan "desktop full scan schedule.txt" from a sample machine (last completed 19/07/17-The task scheduler says that when it last ran) Our weekly scans for Desktops/Laptops are set to run 12.00pm every Weds-yet quite a large number of machines are not doing this. Users here are not admin, so cannot cancel the scan

    20170719 110000 Scan 'Desktop Full Scan Schedule' started.
    20170719 110259 Scanning "C:\Users\s*******\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WQ6Z052G\row_salup_280716_a.xlsx" returned SAV Interface error 0xa0040212: The file is encrypted.
    20170719 110619 Scan 'Desktop Full Scan Schedule' completed.
    20170719 110619 Summary of results for scan 'Desktop Full Scan Schedule':
    Items scanned: 175947
    Errors: 1
    Items quarantined: 0
    Items dealt with: 0

    The SAV.TXT says the following

    20170806 113349 File "C:\Program Files (x86)\Skype\Updater\Updater.exe" of controlled application 'Skype Updater' (of type Software updater) has been detected.
    20170806 113353 File "C:\Windows\System32\CNMN6PPM.DLL" of controlled application 'Canon IJ Network Tool' (of type Network monitoring / Vulnerability tool) has been detected.
    20170806 113554 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170806 113626 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170806 113847 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170806 114106 File "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" of controlled application 'Adobe Update Manager' (of type Software updater) has been detected.
    20170806 114107 File "C:\Program Files (x86)\Skype\Updater\Updater.exe" of controlled application 'Skype Updater' (of type Software updater) has been detected.
    20170806 114108 File "C:\program files (x86)\skype\updater\Updater.dll" of controlled application 'Skype Updater' (of type Software updater) has been detected.
    20170806 114344 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170806 114414 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170806 122413 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170806 183529 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170806 183531 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170807 100934 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170807 100935 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170807 100943 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170807 101926 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
    20170807 101926 Using detection data version 5.37 (detection engine 3.67.3). This version can detect 12929171 items.
    20170807 101929 File "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" of controlled application 'Adobe Update Manager' (of type Software updater) has been detected.
    20170807 101933 File "C:\Program Files (x86)\Skype\Updater\Updater.exe" of controlled application 'Skype Updater' (of type Software updater) has been detected.
    20170807 101938 File "C:\Windows\System32\CNMN6PPM.DLL" of controlled application 'Canon IJ Network Tool' (of type Network monitoring / Vulnerability tool) has been detected.
    20170807 102136 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170807 102138 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170808 075137 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
    20170808 075137 Using detection data version 5.37 (detection engine 3.67.3). This version can detect 12929171 items.
    20170808 075140 File "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" of controlled application 'Adobe Update Manager' (of type Software updater) has been detected.
    20170808 075144 File "C:\Program Files (x86)\Skype\Updater\Updater.exe" of controlled application 'Skype Updater' (of type Software updater) has been detected.
    20170808 075147 File "C:\Windows\System32\CNMN6PPM.DLL" of controlled application 'Canon IJ Network Tool' (of type Network monitoring / Vulnerability tool) has been detected.
    20170808 075348 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170808 075600 File "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" of controlled application 'Adobe Update Manager' (of type Software updater) has been detected.
    20170808 075601 File "C:\Program Files (x86)\Skype\Updater\Updater.exe" of controlled application 'Skype Updater' (of type Software updater) has been detected.
    20170808 075602 File "C:\program files (x86)\skype\updater\Updater.dll" of controlled application 'Skype Updater' (of type Software updater) has been detected.
    20170808 080139 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170808 080219 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170808 081136 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170808 081454 File "C:\Program Files (x86)\Skype\Updater\Updater.dll" of controlled application 'Skype Updater' (of type Software updater) has been detected.
    20170808 081455 File "C:\Program Files (x86)\Skype\Updater\Updater.exe" of controlled application 'Skype Updater' (of type Software updater) has been detected.
    20170808 083847 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.
    20170808 093101 File "C:\Windows\ehome\ehshell.exe" of controlled application 'Windows Media Center' (of type Media player) has been detected.
    20170808 093846 File "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" of controlled application 'Google Updater' (of type Software updater) has been detected.

  • 0 in reply to pdturbo80

    Hi  

    Please PM me the ticket # and I will look into it.

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Unfiltered HTML