We have SCEP 2012 installed via ConfigMgr 2012 SP1. I have a weekly Full scan scheduled for 12:00 AM on Thursday's. I schedule a Quick scan daily at 12:00 PM.
I am getting reports of Full Scans running daily at random times on a few machines. This seems to be happening randomly. It is happening often enough that I need to figure out what is going on. When I check one of the machines in question I see that there are two Endpoint Protection policies applied. The Default policy (with an order of 1000) and the custom policy that defines the Full and Quick scan schedules that I want (with an order number of 1). (I Have not figured out how to prevent the default policy from getting applied.) When I look at the policy value in the registry or via the Endpoint console on the local machine the policy is reported as: 'Antimalware Policy'. I don't have a policy with that name. I figure Endpoint is reporting this name because both the default policy and the custom policy are both applied. When I look at the Endpoint console on one of the machines in question the Scheduled Scan settings screen is locked (as it should be) by the security administrator, and it shows the correct schedule day and time. My custom policy is set to 'force a scan of the selected scan type if client computer is offline during two or more scheduled scans'. I checked the System event logs and can see where the last scheduled full scan did start (around the scheduled time) and did finish in about 2 hours. There is an entry (Event ID 1001) showing the scan finished. The event (Event ID 1000) shows the Full scan with a user ID of 'NT Authority\Network Service' so I know that it is a system started Full scan. (When the user kicks off a full scan it's the user ID that appears here.) Two days later the system is kicking off the unscheduled scan. This finishes and then the next day the system kicked off another full scan. That's when the user called me to complain. I have done some Bing and Google searches and I see where others are complaining about the same issue, but I don't see any solutions. I'm hoping someone on this list might have a solution. I'm sending this to the ConfigMgr list as well to hopefully get to more admin's who might have an idea as to what is going on or a fix. Thanks, [cid:image001.png@01CE8DD0.B96FF800] Ken Lutz Senior Systems Administrator Information Systems Department Spokane County 815 N. Jefferson Spokane, Washington 99260
<<inline: image001.png>>