• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Odd and Troubling Idle Full Scan Results

My weekly NIS 2010 Idle Full System Scan ran today, and I was surprised that it ran so quickly, scanned only about 30% as many files as usual, and classified about 2/3 of those as Skipped (usually an insignificant number are skipped).

So about 90 minutes later I initiated a Full System Scan maually, and the results were the kind I have always seen in the Idle Full System scan prior to today.

It's troubling that the today's Idle Full System Scan seems, well, screwed up. This has never happened before in 6+ months of weekly NIS 2009 & 2010 Idle Full Scans on 2 pcs.  Any idea why this might have happened?  I trust my pc to NIS 2010 (not that I don't also follow safe surfing practices and use adjunct tools occasionally).  So ths really has me concerned.  I shouldn't have to "babysit" NIS looking for oddball Idle Scan behavior.

The scan summaries are below:

IDLE FULL SYSTEM SCAN - DURATION 7 MINUTES -->> Abnormal Looking
-->>>> Total Items Scanned 66,976
Files and Directories  64,151
Registry Entries 100
Processes and Startup Items 2254
Network and Browser Items 166
Other 105
Trusted Files 2350
-->>>> Skipped Files 45,066

FULL SYSTEM SCAN - DURATION 33 MINUTES -->> run manually about 90 minutes after Idle Full Scan.  Normal counts and classes.
-->>>> Total Items Scanned 182,157
Files and Directories  179,289
Registry Entries 300
Processes and Startup Items 2292
Network and Browser Items 271
Other 5
Trusted Files 2371
-->>>> Skipped Files 81Message Edited by Ardmore on 12-08-2009 05:47 PM

Replies

Kudos0

Re: Odd and Troubling Idle Full Scan Results

My weekly NIS 2010 Idle Full System Scan ran today, and I was surprised that it ran so quickly, scanned only about 30% as many files as usual, and classified about 2/3 of those as Skipped (usually an insignificant number are skipped).

So about 90 minutes later I initiated a Full System Scan maually, and the results were the kind I have always seen in the Idle Full System scan prior to today.

It's troubling that the today's Idle Full System Scan seems, well, screwed up. This has never happened before in 6+ months of weekly NIS 2009 & 2010 Idle Full Scans on 2 pcs.  Any idea why this might have happened?  I trust my pc to NIS 2010 (not that I don't also follow safe surfing practices and use adjunct tools occasionally).  So ths really has me concerned.  I shouldn't have to "babysit" NIS looking for oddball Idle Scan behavior.

The scan summaries are below:

IDLE FULL SYSTEM SCAN - DURATION 7 MINUTES -->> Abnormal Looking
-->>>> Total Items Scanned 66,976
Files and Directories  64,151
Registry Entries 100
Processes and Startup Items 2254
Network and Browser Items 166
Other 105
Trusted Files 2350
-->>>> Skipped Files 45,066

FULL SYSTEM SCAN - DURATION 33 MINUTES -->> run manually about 90 minutes after Idle Full Scan.  Normal counts and classes.
-->>>> Total Items Scanned 182,157
Files and Directories  179,289
Registry Entries 300
Processes and Startup Items 2292
Network and Browser Items 271
Other 5
Trusted Files 2371
-->>>> Skipped Files 81Message Edited by Ardmore on 12-08-2009 05:47 PM
Kudos1 Stats

Re: Odd and Troubling Idle Full Scan Results

Hi Ardmore:

You have probably seen posts about Norton Insight, and you may have looked at it in the link by the CPU meter on the main screen.  If you click on that and go to the Insight screen, it will tell you how many of your files are now trusted.  The more idle full system scans are done, and the more information from all of our machines, that identify files as trusted, the shorter and less intrusive our scans will be.  Only 16% of my files require scanning at the moment.

It also may be that the idle full scan was interrupted at some point in time, so it only shows the last time, in the tasks frame, that it took to finish scanning.

When you do a manual full system scan, it scans everything and the trust factor does not apply. 

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Odd and Troubling Idle Full Scan Results

Thanks for the thoughts delphinium, but I don't see how they apply in this case.

Maybe I'm missing something, but I don't see how Insight could cause such a huge *sudden* change in the Idle Full Scans' total number of scanned items, and total number of skipped items -- after months of nothing more than minor changes from week to week until today.  In fact,   the number of items listed as Trusted was about the *only* thing that looked normal in this run of my weekly Idle Full Scan.  I typically see a number around 2400 there.  It goes up a little over time, but not much. Finally, re the statement that with a manual full system scan it scans everything and the trust factor does not apply:  then why have my counts and categories always been very similar between Idle and Manual Full Scans, until the aberrant Idle Scan I had today?

As for possibility of some kind of interruption, why would the log say "Status - Completed?"  And besides, I'm not sure what kind of interruption it could be, as this pc was booted up several hours before the Idle Full Scan and was just sitting there unused until well after the scan completion time.

Message Edited by Ardmore on 12-08-2009 09:35 PM
Kudos0

Re: Odd and Troubling Idle Full Scan Results

Hi Ardmore

The log says completed because you are seeing the end of the scan. That last amount of time showing is the time after an interruption. The interruption could be caused by anything that causes the cpu to become active for a very short time. It could have been another background activity, a mouse that got moved by a cat for example, a check for some update, any of a number of things. If you would have looked right away at the cpu activity, I'm sure you would have seen some sort of interruption. My idle weekly full scan has been running at night lately. No one is on the computer then and things happen in the background to interrupt it. Nothing is scheduled at that time, but it still gets interrupted.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Odd and Troubling Idle Full Scan Results

floplot -

When I stop a *Manual* Full System Scan, the log says "Status - Stopped." 

When I've manually interrupted an *Idle* Scan by starting to use the pc, there is simply no scan result in the log.  It instead keeps trying periodically until it can complete scanning all the system files that need to be scanned.  This has happened to me several times.

Even if an interrupted Idle Scan *did* say "completed," this would be a very misleading bug.  Why lull users into a false sense of security, i.e., NIS saying, "Your system checks out A-OK" when what it really means,  "The items we looked at before something interrupted the scan were A-OK.  See you again next week"?Message Edited by Ardmore on 12-08-2009 09:51 PM
Kudos0

Re: Odd and Troubling Idle Full Scan Results

Hi Ardmore

An interrupted idle full system scan will say cancelled at the time of the brief interruption. When it goes into idle time again, it will start up from where it was interrupted and it will then complete the full scan. When it is finished scanning, it will say completed and then show a time of the scan. If you look under the cpu usage part, you will just see the time for the last part of the scan after the last interruption. To find the total time it took for the scan to run, you have to look under History, Scans and look for the idle full system scan and there you will see the total amount of time it took to run.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos1 Stats

Re: Odd and Troubling Idle Full Scan Results

Hi Ardmore:

The scan will keep running whenever it hits idle time until it completes.  It doesn't just quit for a week.

Hi Ardmore:

This might help.  My machine has done the same thing.  On a manual full system scan, I have 1,200,000 items scanned.  On my last Idle full scan, I have 273 thousand and change.  The last segment shows 9 minutes to complete, but in history it shows the full amount of combined scan times.  If you are uncomfortable with this, you can go to the trust settings in the computer pane in Norton and under scan performance, change the trust to full scan.  It will be more what you are used to seeing, it will just take longer.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Odd and Troubling Idle Full Scan Results

OK, I think some of this is getting clearer.

I went back and looked at the log entries for all the Idle Full Scans I've had since upgrading to 2010.  There was indeed BIG variation in the Total Items Scanned, even though they were all shown as complete.  One instance had only 11,000 Total Items.  So, two areas of followup questions for delphinium (previous or new respondents feel free to chime in as well, of course):

1.  Are you saying that that 11,000 represents the number of items scanned in the *final* idle session required to complete the Idle Full Scan, i.e., after interruption(s)?

2.  Prior to today's, *all* of the Idle Full Scans listed a total scan time of about 30 minutes.  Does this mean -- getting back to that 11,000-item example -- that NIS is reporting the *sum* of the idle sessions for minutes, but only the *final session* for item count?  If so, how can today's scan show only 7 minutes instead of the 30 minutes listed for all the prior Idle Full Scans?  I was thinking perhaps one (or more) of the items automatically moved to Trusted could have been a packed file that required a long scan time -- but could that really cause an 80% reduction in scan time??

Regardless of the answers, NIS *really* needs to work on the clarity of its logging/reporting/documentation for the Idle Full Scan process.  There's no need for it to be this confusing and nonintuitive.

Message Edited by Ardmore on 12-08-2009 11:02 PM
Kudos1 Stats

Re: Odd and Troubling Idle Full Scan Results

It is confusing Ardmore, and it also has to do with what processes are running at the time of the insight scans.  The more things you have running in your computer at the time of the idle time insight scan, the more files will be accepted as trusted.  So if you have a particularly busy week on the computer, with more programs open than usual, or even a couple of extra programs open while you do something else, you will see a bigger impact on the scans.

It may change back to where it was as well, depending on file updates, or changes, so the trust level is almost never static.

Mine changes very little, because I am mostly here, but if I were to open a few programs and let the idle time tasks work in the background, my trusted files would also increase in number.

In history, it should always the show the total amount of time all the scans took.  The time shown in tasks, only shows the completion of the last portion that ran.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Odd and Troubling Idle Full Scan Results

The help files and program nomenclature can be so darn confusing, because you see statements like this one in the scetion on configuring Scan Performance Files:  “Configure to Full Scan to perform a complete scan of your computer. The complete scan includes a scan of all files on your computer irrespective of the confidence level or digital signature of the files.”  Yet further research shows that “Full Scan” and “Full Sytem Scan” refer to two different things.  “Full Scan”  is an option under Scan Performance Profile settings that instructs NIS not to bypass Norton Trusted files like default setting of Standard Trust does.  It almost seems as if Norton would have to make an effort to be this confusing to those who take the time to review the documentation and understand the program.

Further -- based on my experience and your explanations -- I get a clear sense that much of the help files’ explanation on how a Full System Scan works does NOT apply to *Idle* Full System scans, even though this distinction is never made.  Talk about adding to the confusion...

A help page entitled “Scans” defines a Full System Scan as, “Checks all boot records, files, and running processes to which the user has access.”  So maybe that “has access” refers to skipping files which are being used by other processes (i.e., what you suggested)??   HOWEVER, the page entitled “Results Summary” says, “If your most recent scan was a Full System Scan, this tab shows the results of s comprehensive scan of your entire computer.”   Definitely needs clarification.

How can anyone assess whether the scan counts and times raise any red flags when the documentation is so confusing and contradictory (at least on the surface)?  If different behavior and/or results are sometimes to be expected  from an Idle Full System Scan vs. a manually-started  Full System Scan vs. a Pre-Scheduled Full System Scan, shouldn’t these distinctions be made clear -- instead of just referring to “Full System Scan” throughout the Help Files -- which confusingly isn’t even equivalent to “Full Scan” (the Scan Performance Profile setting)?

Anyway, now that I have that little (and well-deserved) rant against NIS documentation and nomenclature deficiencies (both Help-File and interface) out of the way...

Delphinium, you stated that, “the more things you have running in your computer at the time of the idle time insight scan, the more files will be accepted as trusted.”   However, contray to your guess of heavy use, that pc has been virtually unusued all week (though often powered on).  Nothing was even visibly open around the time of the idle scan. So having this particular Idle Full Scan be the first one to take only 7 minutes (per history) instead of 30 like all the prior ones seems especially odd.  The other time I had an even lower Total Item count, the “Skipped” count was very low and the scan time was the usual;  whereas in the recent super-quick scan a big majority of the Total Items fell into Skipped.  This suggests something different was going on each time, but I’ll accept your expert opinion that some background process(es) may have interfered.

 BTW, when I went to compare the Tasks listing to History I believe it also said 7 minutes.  I say, “I believe” because I quickly clicked the arrow on the left side of the entry thinking that might reveal further details.  Instead it started a scan, and the old task data for that line was gone after I stopped it.  Who would have thought you could MANUALLY start an IDLE scan???  Is Norton trying to tell me I have too much Idle time on my hands (whether or not they are correct  )?
Kudos0

Re: Odd and Troubling Idle Full Scan Results

OK, an update:

It's now a week later, and my latest weekly idle full scan ran.  In the History entry it showed a low 21,000 total items scanned, but was back to the approx 1/2 hour scan time I'm used to (instead of the much shorter time last week).  But in Tasks the duration showed as only 7 minutes.  So, based on the advice from delphinium and others, I assumed this meant that the idle full scan had been interrupted, and that the final part after interruption(s) took 7 minutes, while the grand total run time was about 30 minutes.  (In Tasks, no item count is given, so I can't compare that stat to History.)

So to test this assumption I went into tasks and started a new Idle Scan there (as I mentioned before, I had discovered that "idle" full system scans can surprisingly be started manually from Tasks).  I purposely briefly cancelled idle after 25 minutes by starting to use the pc while the scan was still going.  My idle timeout set to just 1 minute on that pc, so the scan soon resumed.  It finished about 5 minutes later.  I assumed that, when done, I would see results that mirrored the earlier, automatically-initiated idle full scan.  History did again give a scan time of about 1/2 hour.  But this time it showed 181,000 total items.  And Tasks listed the full run time (about 1/2 hour) instead of the 5-7 "post-idle-interruption" minutes I was expecting it to show.

So I still can't make heads or tails of this.  In summary, it was:

                               Automatic Idle Scan        Manual Idle Scan (run after Auto)

History-Minutes                   30                               30

History-Total Items             21,000                       181,000

Tasks - Minutes                    7                                30 (despite interruption at 25 minute point)

So I'm still perplexed about the discrepancies.  None of the explanations given seem to explain them all, even when we just look at the two from today.  Any more thoughts?  Thanks.

Kudos1 Stats

Re: Odd and Troubling Idle Full Scan Results

The Engineering team at Symantec is looking into this.  There no update on this other than that and that I have sent them similar information and logs from my system.  Just wanted you to know that something was being done.  I will try and keep this thread up to date on what happens.
Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Odd and Troubling Idle Full Scan Results

dbrisendine -

I appreciate the update.  Glad to hear the Engineering team is looking into it.  Even though the issue remains open while Engineering investigates, thanks to delphinium and the others for taking the time to respond.

This thread is closed from further comment. Please visit the forum to start a new thread.