Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 3862 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scheduled scan breaks for unknown reasons, Sophos logging failed

strubbel

Hi,

we are in the process of moving scheduled scans to night hours.

Last night we had quite some machines which did not log the end of the scan as usual in the Scanjob.txt file:

Jobname: Nachts

Content of file Nachts.txt:

20120531 194237    Scan 'Nachts' gestartet.

Content of file SAV_20120531.txt :

20120531 194237    Scan 'Nachts' gestartet.
20120531 194950    Benutzer (NT-AUTORITÄT\SYSTEM) hat den On-Access-Scan auf diesem Computer abgebrochen.
20120531 195103    Die Erkennungsdatenversion 4.78G (Detection Engine 3.31.20) wird verwendet. Diese Version kann 3664173 Objekte erkennen.
20120531 195103    Benutzer (NT-AUTORITÄT\LOKALER DIENST) hat den On-Access-Scan auf diesem Computer gestartet.
20120531 195116    Die Erkennungsdatenversion 4.78G (Detection Engine 3.31.20) wird verwendet. Diese Version kann 3664173 Objekte erkennen.

and so on

When I go to such a machine I see that the scheduled scan does not run anymore, but why is the end of the scan not in the logs? This log entry does trigger the shutdown process of the machine here, and usually it works as expected.

:25441


This thread was automatically locked due to age.
Parents
  • 0

    Hello strubbel,

    strange that you didn't run into this before.  Just checked - the scan relies on savservice.exe. When the service is restarted the scan is silently stopped. Clearly the scan needs the service - but I'd have expected that it picks up again. Tried several times and once it looked like it did - can't tell as I was too surprised to think of all the details to check.

    Excuse me for writing bold red: It looks like a restart of savservice.exe silently kills any scan in progress

    Well. you might want to check with Support if this is indeed the case!

    Guess for the time being you can "script your way out" triggering the shutdown on the On-Access message (although I've just noticed that I've "lost" the Benutzer (NT AUTHORITY\SYSTEM) hat den On-Access-Scan auf diesem Computer abgebrochen. message when I restarted the service shortly after the scheduled scan had started. Still there's the problem of the aborted scan.

    Christian

    :25449
Reply
  • 0

    Hello strubbel,

    strange that you didn't run into this before.  Just checked - the scan relies on savservice.exe. When the service is restarted the scan is silently stopped. Clearly the scan needs the service - but I'd have expected that it picks up again. Tried several times and once it looked like it did - can't tell as I was too surprised to think of all the details to check.

    Excuse me for writing bold red: It looks like a restart of savservice.exe silently kills any scan in progress

    Well. you might want to check with Support if this is indeed the case!

    Guess for the time being you can "script your way out" triggering the shutdown on the On-Access message (although I've just noticed that I've "lost" the Benutzer (NT AUTHORITY\SYSTEM) hat den On-Access-Scan auf diesem Computer abgebrochen. message when I restarted the service shortly after the scheduled scan had started. Still there's the problem of the aborted scan.

    Christian

    :25449
Children
No Data