About the types of scans and real-time protection

Symantec Endpoint Protection
includes different types of scans and real-time protection to detect different types of viruses, threats, and risks.
Starting in 14, scans access the complete definitions set in the cloud. See:
By default,
Symantec Endpoint Protection
runs an active scan every day at 12:30 P.M.
Symantec Endpoint Protection
also runs an active scan when new definitions arrive on the client computer. On unmanaged computers,
Symantec Endpoint Protection
also includes a default startup scan that is disabled.
When a client computer is off or in hibernation or sleep mode, the computer might miss a scheduled scan. When the computer starts up or wakes, by default the scan is retried within a specified interval. If the interval already expired,
Symantec Endpoint Protection
does not run the scan and waits until the next scheduled scan time. You can modify the settings for missed scheduled scans.
You should make sure that you run an active scan every day on the computers in your network. You might want to schedule a full scan once a week or once a month if you suspect that you have an inactive threat in your network. Full scans consume more computer resources and might affect computer performance. See:
Scan types
Scan type
Auto-Protect continuously inspects files and email data as they are written to or read from a computer. Auto-Protect automatically neutralizes or eliminates detected viruses and security risks. Mac clients and Linux clients support Auto-Protect for the file system only.
Starting in 14, on standard and embedded/VDI clients that are connected to the cloud, Auto-Protect automatically looks up the latest definitions in the cloud.
For more information, see:
Download Insight
(Windows only)
Download Insight boosts the security of Auto-Protect scans by inspecting files when users try to download them from browsers and other portals. It uses reputation information from Symantec Insight to allow or block download attempts.
Download Insight functions as part of Auto-Protect and requires Auto-Protect to be enabled.
For more information, see:
Administrator-defined scans
Administrator-defined scans detect viruses and security risks by examining all files and processes on the client computer. Administrator-defined scans can also inspect memory and load points.
The following types of administrator-defined scans are available:
  • Scheduled scans
    A scheduled scan runs on the client computers at designated times. Any concurrently scheduled scans run sequentially. If a computer is turned off or in hibernation or sleep mode during a scheduled scan, the scan does not run unless it is configured to retry missed scans. When the computer starts or wakes,
    Symantec Endpoint Protection
    retries the scan until the scan starts or the retry interval expires.
    You can schedule an active, full, or custom scan for Windows clients. You can schedule only a custom scan for Mac clients or Linux clients.
    You can save your scheduled scan settings as a template. You can use any scan that you save as a template as the basis for a different scan. The scan templates can save you time when you configure multiple policies. A scheduled scan template is included by default in the policy. The default scheduled scan scans all files and directories.
  • Startup scans and triggered scans
    Startup scans run when the users log on to the computers. Triggered scans run when new virus definitions are downloaded to computers.
    Startup scans and triggered scans are available only for Windows clients.
  • On-demand scans
    On-demand scans are the scans that run immediately when you select the scan command in
    Symantec Endpoint Protection Manager
    You can select the command from the
    tab or from the logs.
If the
Symantec Endpoint Protection
client for Windows detects a large number of viruses, spyware, or high-risk threats, an aggressive scan mode engages. The scan restarts and uses Insight lookups.
For more information, see:
(Windows only)
SONAR offers real-time protection against zero-day attacks. SONAR can stop attacks even before traditional signature-based definitions detect a threat. SONAR uses heuristics as well as file reputation data to make decisions about applications or files.
Like proactive threat scans, SONAR detects keyloggers, spyware, and any other application that might be malicious or potentially malicious. See:
Early launch anti-malware (ELAM)
(Windows only)
Works with the Windows early launch anti-malware driver. Supported only as of Windows 8 and Windows Server 2012.
Early launch anti-malware provides protection for the computers in your network when they start up and before third-party drivers initialize. See: