When doing implementations of Endpoint Protection both 2007 and 2012 one question that comes up many times is that the customer wants to run a weekly quick scan and a monthly full scan or a daily quick scan and a weekly full scan. In the Policy settings it is only possible to configure one schedule scan so you would have to choose which one you want to schedule.
What really happens on the client is that a Scheduled Task is created on the client with the settings configured in the policy.
Endpoint protection has a command-line interface as well as the nice Graphical Interface called MPCmdrun.exe. MPCmdrun can be used to script actions on the clients like quick scan, full scan, remove a definition, scan a file and much more. MPCmdrun.exe is actually the command used by the scheduled task created by the Endpoint Protection client as well.
Creating an additional scan which in many cases is a wanted feature, can be done either with a Group Policy using Group Policy Preferences or using a Package/Program in Configuration Manager that executes the MPCMRun.exe command.
Creating a Schedule task using Group Policy Preference
Creating a Package/program which triggers a Full Scan on the client once every month.
Start by creating a Package without any source files as we will use the locally installed MPCMDrun.exe file from C:\Program Files\Microsoft Security Client. Using the following command line: “c:\program files\Microsoft Security Client\MpCmdRun.exe” -scan -scantype 2
Then create a program with the settings shown below.
Deploy the program using a deployment that runs every firs thursday in a month for instance and be sure to set it to “always rerun”
Hi Jorgen,
You say ‘” What really happens on the client is that a Scheduled Task is created on the client with the settings configured in the policy.”
I have SCCM 2012 SP1 and SCEP 2012 deployed to clients. I do have a scheduled scan configured by my policy, but I don’t see any Scheduled Task created locally on the cilent.
I can see the information about the scan in the client agent (greyd out) and also in the registry.
I’m having problems with the timing of running that scheduled scan when I saw that I “should” have a Task Scheduled locally.
Normal?
Thanks
Hi,
Yes, you should have a scheduled task under Microsoft Antimalware Schedule scan, in Task Scheduler. Does the client perform a schedule scan?
/Jörgen
Hi, thanks for the anwser 🙂
Yes the client seems to do scheduled scan as per the returned information to the server.
I can also see the information in the event viewer locally.
I was trying to debug strange behaviour of when the client start a scan at different times then what is scheduled. I have enabled the Run scan when 2 scheduled scan are missed. So I understand that sometime, it will run out of the scheduled time.
but It happened to run, complete and then rerun the next day for 4-5 days straight. The scheduled scan should run only once a week.
Kind of strange that I don’t see the scheduled task on any of my clients :S
If you have any suggestion, I’m listening 😉
thanks
@Jonathan – my guess is that you don’t see the scheduled task in your context. If you launch a cmd prompt as system (using psexec), and then launch the scheduled task gui from there (which in turn will spawn as system), you should then see the scheduled task for SCEP.
Hello Jorgen,
My name is Uli and I want to implement a scheduled scan on a server that runs every hour and only on a specific folder. Is this even possible with Endpoint Protection or not?