jeffpoling Posted October 24, 2012 Report post Posted October 24, 2012 We are piloting System Center Endpoint Protection 2012 in our environment. On several of the pilot PCs, a scheduled scan runs per our antimalware policy; however, two days later, another full scan kicks off and runs through the day. Our policy is configured for a full scan to happen on Sundays at Midnight. Has anyone experienced this? How do I troubleshoot why the scan is initiating outside of the parameters in the policy? Thanks, Jeff Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted October 24, 2012 Report post Posted October 24, 2012 start by verifying what policy is applied to those clients, then if it's the wrong policy you need to find out why it's not applying the correct policy Quote Share this post Link to post Share on other sites More sharing options...
jeffpoling Posted October 24, 2012 Report post Posted October 24, 2012 Ok. I verified in the EndpointProtectionAgent.log file that the correct antimalware policy is applying to the machines. I also looked at the MPLog*.log in C:\ProgramData\Microsoft\Microsoft Antimalware\Support. One thing that stands out in that log is a statement about "Run lost scheduled job" Here is a snip of that log: **************************END RTP Perf Log************************* Signature updated on ?Wed ?Oct ?24 ?2012 03:14:31 Product Version: 3.0.8410.0 Service Version: 3.0.8410.0 Engine Version: 1.1.8904.0 AS Signature Version: 1.139.410.0 AV Signature Version: 1.139.410.0 ************************************************************ 2012-10-24T08:14:31.176Z Process scan started. 2012-10-24T08:14:33.298Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1) 2012-10-24T08:14:33.298Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1) 2012-10-24T08:14:36.121Z Process scan completed. 2012-10-24T09:41:51.200Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) launched 2012-10-24T09:46:51.205Z AutoPurgeWorker triggered with dwWork=0x3 2012-10-24T09:46:51.205Z Product supports installmode: 2 2012-10-24T09:46:51.205Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0) 2012-10-24T09:46:51.205Z Task(Scan -ScheduleJob -RestrictPrivileges) launched 2012-10-24T09:46:51.205Z Run lost scheduled job: Scan -ScheduleJob -RestrictPrivileges 2012-10-24T09:46:53.608Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1) 2012-10-24T09:46:53.608Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1) Any thoughts on why the scheduled job would be "lost"? Thanks, Jeff Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted October 24, 2012 Report post Posted October 24, 2012 were the systems off when the job was supposed to run ? anything in eventviewer ? To get extensive logfiles open an administrative command prompt and CD to the following directory on the client, C:\Program Files\Microsoft Security Client\Antimalware and execute the following command MpCmdRun.exe -getfiles the log files are stored in C:\ProgramData\Microsoft\Microsoft Antimalware\Support and that directory in turn will contain a CAB file (MPSupportFiles.cab) which has several relevant log files to examine. Quote Share this post Link to post Share on other sites More sharing options...
Tay Posted October 24, 2012 Report post Posted October 24, 2012 Under Scheduled scans for your custom antimalware policy try disabling Force a scan of the selected scan type if client computer is offline during two or more scheduled scans. If this is set to True it will start a full scan whenever the client starts up if it has missed the last two scheduled scans. But if it happens every 2 days that is strange. 1 Quote Share this post Link to post Share on other sites More sharing options...
jeffpoling Posted October 24, 2012 Report post Posted October 24, 2012 Thanks. I generated the CAB file and poured over the log files. I can clearly see the "Extra" scan kicking off, but there is absolutely no explanation as to why, I am sure I must be missing something or perhaps encountered a bug. As for the state of the systems during the actual scheduled scan, they were all on and available. The client GUI showed that the last scan completed successfully and the "extra" scan kicked off any way. Thanks again, Jeff Quote Share this post Link to post Share on other sites More sharing options...
jeffpoling Posted October 24, 2012 Report post Posted October 24, 2012 Tay, Thanks. I made that adjustment to our policy and will see if that makes a difference. I don't know why the clients would be seen as offline, but it is definitely a possibility as a cause for the extra scans. Thanks again, Jeff Quote Share this post Link to post Share on other sites More sharing options...
capricorn80 Posted January 30, 2014 Report post Posted January 30, 2014 Hi! similar issue i can see on one machine. Although the policy is same of many computers its just happening on one computer. Thanks, Quote Share this post Link to post Share on other sites More sharing options...
