locked
Endpoint Protection Client not running run scheduled scan RRS feed

  • Question

  • Hi,

    We are running SCCM 2012 R2 CU1 on our site system and clients, having upgraded from SCCM 2012 sp1 12 months ago.

    A few of our clients will not run a scheduled scan, even though it displays the Scan date and time in the client properties. 

    Someome did create a new EP policy and pointed the clients at it, but that didn't fix this problem.

    The AV engine and AV definitions are upto date and the real time monitor is running.

    In the SCCM console, Active Clients at Risk, the client has Endpoint Protection Enabled showing as Disabled, nothing in the Endpoint Protection Engine Version, nothing for Last Full Scan Start Time, Endpoint Protection Pending Full Scan - No.

    The MPLog-xxxx-xxx.log shows:

    Signature updated on 02-11-2015 05:57:13
    Product Version: 4.7.205.0
    Service Version: 4.7.205.0
    Engine Version: 1.1.11302.0
    AS Signature Version: 1.191.4588.0
    AV Signature Version: 1.191.4588.0
    ************************************************************
    2015-02-11T05:57:15.492Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
    2015-02-11T05:57:15.492Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
    2015-02-11T05:57:40.982Z Process scan (postsignatureupdatescan) started.
    2015-02-11T05:57:50.420Z Process scan (postsignatureupdatescan) completed.
    2015-02-11T06:06:47.173Z AutoPurgeWorker triggered with dwWork=0x3
    2015-02-11T06:06:47.173Z Product supports installmode: 0
    2015-02-11T06:06:47.173Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 604800000(ms) from now with period 21957080(ms)
    2015-02-11T06:06:47.173Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 28800000(ms) from now with period 28800000(ms)
    2015-02-11T06:06:47.173Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 70114864(ms)
    2015-02-11T06:06:47.844Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)

    The EndpointProtectionAgent.log shows:

    Endpoint is triggered by message. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.5.216.0. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    EP version 4.7.205.0 is already installed. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    EP 4.7.205.0 is installed, version is higher than expected installer version 4.5.216.0. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    Re-apply EP AM policy. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    Apply AM Policy. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    Applied the C:\WINDOWS\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    State 1 and ErrorCode 0 and ErrorMsg  and PolicyName Default Client Antimalware Policy
    SCEP Standard Desktop EP Policy and GroupResolveResultHash 5E75089B490B85DD66BBA85BC91E15A5EA853B9C is NOT changed. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Skip sending state message due to same state message already exists. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Firewall provider is installed. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)

    Installed firewall provider meet the requirements. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)

    Could anyone provide any pointers on why the scheduled scan wont work?


    Jaz

    Wednesday, February 11, 2015 4:01 PM

Answers

  • Since no one has answer this post, I recommend opening  a support case with Microsoft Customer Support Services (CSS) as they can work with you to solve this problem.<o:p></o:p>



    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    • Proposed as answer by Garth JonesMVP Saturday, May 16, 2015 2:41 PM
    • Marked as answer by Garth JonesMVP Saturday, February 13, 2016 9:14 PM
    Saturday, May 16, 2015 2:40 PM

All replies

  • Hi,

    I noticed that your client version is 4.7.205.0.

    Please double check if the update is installed without problem. And as far as I know that update requires a reboot. At last make sure client received policy.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 12, 2015 7:36 AM
  • Hi,

    We did get this installed a couple of days ago, but this problem has been happening for a few months. The majority of machines scan fine, it's just a small percentage, around 100 which are not running the scheduled scan.

    The affected machines are picking up the policy and it says it should run a scan, and the log file above says it is about to run in x ms, but never does.

    Any other pointers are appreciated.

    Thanks


    Jaz


    • Edited by JazK Thursday, February 12, 2015 8:29 AM
    Thursday, February 12, 2015 8:29 AM
  • Hi,

    Please verify if any GPO applied and overwrite the setting, you can check registry key:

    http://blogs.technet.com/b/mspfe/archive/2013/11/13/system-center-configuration-manager-2012-scep-policy-behavior.aspx


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 13, 2015 8:50 AM
  • Hi,

    Yes I checked that article recently and the policies are correct on the machine, and in the registry.

    The console on the client displays the correct information for the Scheduled scan day and time, but Last scan is months ago.

    Thanks


    Jaz

    Friday, February 13, 2015 11:03 AM
  • Since no one has answer this post, I recommend opening  a support case with Microsoft Customer Support Services (CSS) as they can work with you to solve this problem.<o:p></o:p>



    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    • Proposed as answer by Garth JonesMVP Saturday, May 16, 2015 2:41 PM
    • Marked as answer by Garth JonesMVP Saturday, February 13, 2016 9:14 PM
    Saturday, May 16, 2015 2:40 PM