SCEP 2012 clients kicking off random scans

We have an SCCM 2012 environment with SCEP 2012 recently deployed. We have a policy in place that does weekly full scans on Tuesdays at 12AM.  The client machines are 64 bit Windows 7.  We are seeing some random computers kicking off Full scans at various points in the day.  We thought that initially there were viruses on these machines and that was causing the scans, but according to the EP console, they do not have any type of virus or malware.

Any ideas?

December 18th, 2012 7:40pm

There used to be an option if FEP to randomise the start time...maybe a similar option is enabled in SCEP?
Free Windows Admin Tool Kit Click here and download it now
December 18th, 2012 8:28pm

There is an option for that.  But it only randomizes it by 30 minutes of the scheduled time to alleviate network congestion.  We are seeing scans kick off, let's say for example, at 8AM after it already ran a full scan at midnight.
December 18th, 2012 9:14pm

Hi,

Thank you for the post.

According to this article, Scans may begin within two hours of the scheduled time you select. Exact scan times are randomized to reduce strains on network traffic. if you want to configure SCEP clients to start scheduled scan as scheduled on time, you may set the RandomizeScheduleTaskTimes (DWORD) under the antimalware root registry key to 0. For SCEP the root is probably HKLM\Software\Microsoft\Microsoft Antimalware.

Regards,

Free Windows Admin Tool Kit Click here and download it now
December 20th, 2012 10:47am

Has this issue been resolved yet? I am having the exact same problem. Our policy is set for weekley full scan on Friday night at 7:00pm (randomized for 30 from start time) and a daily quick scan after 5pm. I am seeing some EP clients kicking off a full scan every night at random times like 12:00am, which is not the policy at all.  Because it is not affecting all clients could it be that at one time there was a detection on those clients and now they are subject to a scan every night?  The two clients having the issue that I know of both had detections in the past.
December 21st, 2012 8:26pm

No, unfortunately it has not.  We just had another one yesterday.  The policy that this user/machine fall under is set to scan at 12:00AM  on Tuesday(as stated above), which it did perform the full scan.  But then it kicked off another scan at 3PM yesterday, well outside the 30 minute randomization schedule.

I may be placing a call into MS.

Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2013 8:51pm

I see the same behaviour in my environment as well.

Scans are kicking off well before (hours) and well after (hours) the scheduled scan time and randomization window.

My boss wants to know why. What do I tell him?

February 28th, 2013 9:14pm

Nick,

You both proposed this as the answer to the issue presented and you marked it as the answer.

You need to undo this action as the problem is not fixed nor explainable.

I would think that the person who proposes a post as the answer should not be allowed to mark it as such.

Thanks!

Free Windows Admin Tool Kit Click here and download it now
February 28th, 2013 9:16pm

Semiproslacker,

did you place a call at MS? We have the same issue for some clients. Although EP Policies seem to be applied fine (weekly scan) some clients just scan daily.
We opened a CAS some months ago but MS didn't find anything. We agreed to reinstall OS on an affected computer and check if it happens again.
But I'm still looking for a solution slightly less time consuming. So if MS was able to solve the issue could you share the solution?

Thanks!

June 7th, 2013 1:32pm

Chris,

I did place a call.  they didn't find anything either.  In fact, they had escalated it and setup a test environment like ours and still could not find anything.   Fortunately, it hasn't happened in a few months so for now it's on the back burner again.

Please check as answer if you are satisfied with my response or click "Vote as Helpful".

Thanks

Free Windows Admin Tool Kit Click here and download it now
June 13th, 2013 5:59pm

I know it's not good form to drag up old threads, but this one was never resolved and well...

We're in this sinking boat too, now.

We are in the midst of a SCCM deployment and everything seems to work well, EXCEPT some laptops are randomly kicking off SCEP scans in the middle of the work day.

These are not gentle scans...  Full on hammer the drive, cook the CPU and get the fan whirring like a jet engine.

That randomization that was suggested as an answer is flat out NOT the answer.  Something is rotten in Denmark and my head is on the block.... The execs are the laptop users... I don't really relish hearing from our Continental VP's that their laptops are unusable for periods :(

Anyone have any solutions - heck CAUSES, even?

October 1st, 2013 7:00pm

Dragonspeed,

It's a tough lace to be in, I know.  I saw the same thing last night again, only this time on a Citrix server.  However, the user saw the pop up from EP this time stating that the server needed to be rebooted due to a virus.  The scan was running right before the message.  So in this scenario, there was a virus that caused the scan.  This is one of the more puzzling issues that I have seen with SCCM and EP.  Fortunately for me, there hasn't been much activity with this issue,so it has been laid to rest....for now.

Moral of my story here is to check again for virus activity.  If that isn't the case, it's time to contact MS and have them fix this bug.

Thanks,

Please check as answer if you are satisfied with my response or click "Vote as Helpful".

Free Windows Admin Tool Kit Click here and download it now
October 1st, 2013 7:09pm

I'm already imagining my conversation with some scratchy voice over VOIP in India... my heart sinks at the thought. I don't have a solidly reproducible environment that I can point them too.. Heck, this stupid app doesn't even document its choices to do things very well. 

I can't find logs that indicate that it WANTED to scan at the wrong time... it just did.

The machines that it has kicked in the full scan did NOT have any virus detections - even after the 6+ hours of scanning.  It's not being caused by any realtime trigger - that I can see. 

Brian.

October 1st, 2013 7:28pm

Resurrecting this thread for the second time as we still don't have a resolution - my network is also having this issue. It's isolated to one user. The affected machine is in the correct policies, and our scheduled scan is 5pm on Fridays. Nearly every day (But it does miss some) at around 10am - 12pm she will have a scan start.

Any response from Microsoft on this would be fantastic.

Free Windows Admin Tool Kit Click here and download it now
January 16th, 2014 4:08am

Similar problem but cant find any solution.

Any suggestion?


January 31st, 2014 3:55am

Anyone find a solution to this issue. Is it fixed in 2012 R2? I have a few users this happens on too. Any response would be good as everywhere on the net I see the issues is active but no resolution or cause.
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2014 4:56pm

I wish we did.  I am not seeing it nearly as much as we used to.  However, seeing that the comments on here keep bringing this up it looks as though there is still nothing.  It would be nice to have a MS PFE or MVP chime in on this.
April 30th, 2014 5:22pm

I'm also experiencing this with some users, and we've had a case open with MSFT for over a month with no joy yet. Pointing them at this thread.
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2014 12:11pm

I'm gonna go ahead and throw my hat in the ring here as well, as we are experiencing the same issue. And yes, the laptop users are execs and they aren't happy.

May 22nd, 2014 9:10pm

We are experiencing the same issue.  Full Scans configured for Fridays at 5:30pm (+/- 30).  We have a few users whose Full Scans run Friday morning and run most of the day.  We are on SCCM 2012R2.
  • Proposed as answer by WSUVTX Tuesday, July 29, 2014 3:27 PM
  • Unproposed as answer by WSUVTX Tuesday, July 29, 2014 3:27 PM
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2014 6:26pm

We have found that in some cases affected machines have an entry in the Task Scheduler to kick off a full scan. This appears to be created by SCEP when it is prevented from performing its scheduled Full Scans for a defined period, and attempts to do "Catchup Scanning". However, in a few cases this task seems to become "sticky" and runs every day even if a full scan completes successfully (which should reset the catchup scanning countdown)

So I'd recommend checking the scheduled tasks on any affected machines to see if you have the same problem. I've also disabled catchup scanning on one or two affected laptops which appears to have resolved the issue for the individuals. It never became a widespread issue for us, thankfully.

Matt

July 29th, 2014 6:32pm

There are no Scheduled Tasks.  I am not sure how to disable the catchup scanning.  Can you point me in the right direction Matt.
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2014 7:05pm

Hi,

In the Endpoint Protection Policy settings within SCCM, under the Scheduled Scans subheading, you'll find a setting titled: "Force a scan of the selected scan type if client computer is offline during two or more scheduled scans:"

I found that disabling this setting fixed the issue on two machines. I don't know whether this will work for you, but probably worth a try.

Matt

July 29th, 2014 7:12pm

Matt,

Interesting that you mention that.  We disabled that several months back and now that  I think about it, since my last post, I haven't seen any random scans as well.  Can anyone else confirm this setting fixes this issue?  

Free Windows Admin Tool Kit Click here and download it now
August 19th, 2014 9:46pm

I'm not sure that disabling the feature that causes this can be called a "fix".

It's a workaround that will make the problem go away and quiet the squeaky wheels, sure, but that means you have machines (especially laptops) that simply won't get (full) scanned ever. And if you permit user control over the scans (we don't), the problem is compounded.

We had desktops that are on the network 24/7 (should not be missing scans) kicking off scans every day, hammering the drive and making the workstation virtually unusable.

August 19th, 2014 10:03pm

For anyone that comes across this thread, I did find a cause/workaround for this problem.  On the machines where the issue is reported, look in their task scheduler.  Under Microsoft > Microsoft Antimalware, our machines had an extra entry that was kicking off a full scan weekly.  This scan was also set to run ASAP if missed.  The machine would then also run the configured weekly full scan.
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2015 6:20pm

Here is the way MS does such things. (Update works this way too) It is STUPID, of course, but then "SMART" is not a word that fits Microsoft very well. Just look at Windows 8 for an example or to the fact you can't even find a simple link to the SCEP client for what ever happens to be the latest greatest version.

As for the auto scanning, it will occur REGARDLESS of the time set shortly after you start your PC if it was not able to do it at the appointed time. So if it is set for 12am, and if the system, for whatever reason was not on, it will kick off shorty after it is booted, REGARDLESS of the current time. (It is supposed to wait until the system is idle, but MS uses lack of keyboard or mouse action to decide if a system is active instead of actually looking to see if its. For example watching a movie. MS would say after five minutes, it is inactive, then run the scan, screen save, update, or whatever. Maybe you were just reading a long email, letter, or article online, doesn't matter MS will kick off the scheduled event. Of course this will cause problems for the movie etc, but MS won't care. Bottom line is if the MS AV is doing its job, or anyone's Av for that matter, and was installed on a 100% clean PC, then one should NEVER need to do a blind system scan. Common sense really. Of course MS AV is not very good at preventing the more destructive of the evils out there such as the Ransomewares and things like the ASK or the Google toolbar or the many fake "fix your PC" popups that are out there etc. etc.

Best just to keep it disabled.

Ralph

January 30th, 2015 8:24pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics