Question

Any way to force daily scans?

  • 27 October 2020
  • 5 replies
  • 124 views

Badge

Using the business version, is there any way to force a scan to run every single day?

I have a policy to scan daily and “scan before 8 am when the computer is idle” but this appears to not cause a scan to actually happen but once a week.  A specific computer I picked out as an example does not routinely experience “idle” times and is never shut off in normal operation, but spends entire weeks without performing a scheduled scan. 

There is another set of options such as “scan at 8 am when resources are available” but I am nervous to try it, it sounds to me like another conditional that might result in scans not being carried out under certain circumstances.

Anyone have any knowledge about this?

I also have an open ticket with Webroot but they’ve been slow to respond usefully, so I figured I’d take a shot on the forum.

Incidentally, I am aware the real value of Webroot is its realtime scan, but I am required to show daily file scans are being conducted as well.


5 replies

Userlevel 6
Badge +26

@Synthetic - the best practice setting is to leave it at a time “when resources are available” - not idle. Unfortunately, detecting idle means NOTHING is running, which is nearly impossible. Have to say, with years here at WR, i’ve never used the “When idle” setting as it’s kind of pointless. Servers can be doing something in the middle of the night, laptops and desktops may actually have active resources, so the likelihood of “idle” is pretty low probability. Idle is not the same as “user isn’t doing anything” it’s purely machine based resource usage, so it’s a misnomer on what exactly “idle” means. I suggest not using it.

Also, remember, the agents scan times and resource contention when scanning is super minimal. Your daily scans will only scan new files and delta from the previous day. The WR agent does not rescan the same thing or entire device every day. Most daily scans are under 5 mins and often 10 - 30 seconds. Which have zero impact on users. The default is 10am when resources are available. I’d advise to just leave it at 10am or 8am if the devices are actually on every day at 8am.

Hope that helps.

Badge

@coscooper - Hello!

I’ve changed the policy on the concerned machines to use “when resources are available at 6 AM” - we’ll see how it does by this time tomorrow.  As I have a policy to vary the time “by up to an hour” that means I suppose all scans should run between 5 AM and 7 AM, which I already know is in the period the fewest users are around.

I’m not super concerned about the resources the scans need, I’ve watched them before and already know from the logs they’re very brief most days.  My main concern was WR never deciding “resources are available” no matter what I do.  I do appreciate you mentioning it though.  We’ll try it out since you’re vouching for it.

Thanks for the reply.

Userlevel 6
Badge +26

Yep, that should produce a consistent scan log. Yes, the random setting will basically make it a window from 5-7 as you mentioned. 

Please post results tomorrow or next few days. If the agent isn’t reporting daily scans, something else is up. Also, suggest bumping your polling cycle down from daily to 1 hour or less. Something polling limits agent reporting. Scans are supposed to be independent, but i’ve seen daily polling somehow be an issue. We typically suggest 1 hour, 30 mins or 15 mins to align closer to RMM agents.

Badge

So, what I was afraid would happen is what occurred - out of 24 servers in my testing group, only 16 ran scans between 5 AM and 7 AM as I was expecting.

A few ran two scans, though.  From the logs, most of the scans run under the old schedule (“before 8 AM when idle”) occurred between 1 AM and 3 AM.  The handful of servers that ran two scans ran the first one in this time range.  This makes me think the policy did not get to all of the servers in a timely fashion despite me having had the polling frequency at 1 hour for some weeks prior to this, so now I’m concerned it’s possible some subset of the servers that did not run scans simply did not yet get the new policy applied.

It is an improvement.  Previously at most 8 of these servers were running daily scans on the schedule any given day.  I really need it to be 100% though.

Userlevel 6
Badge +26

@Synthetic - sounds like some servers didn’t get the policy update. You can force the endpoint to call home immediately through several mechanisms.

  1. Refresh Config - it’s manual requiring remote session login and isn’t consistent.
  2. Use the -poll command against wrsa.exe (can usually be scripted across several devices and is way more consistent as it’s a forced call home directly by the application. This is the specific command i use all the time for testing and making the agent take changes.)
  3. Your RMM integration also has a “poll management console” typically. However, that is a registry setting that does work very consistently, but i like -poll)

Hope that helps.

Reply