ESET AV running multiple simultaneous scans

[JRV 1]

A Windows 10/ESET AV 7.0.2091.0 user complained of slow performance. Checked Task Manager and found disk was 100% utilized, mostly by ESET. Opened ESET and discovered 4 Scheduled Scans running at the same time. User says she never turns computer off, but it does sleep after a timeout.

In ESMC, the Policy for Scheduler has an entry for Scheduled Scans to run at 12:00. As it was shortly after 13:00, that's the only one I'd expect to be running. 

Looking at the start times for the scans, I woke the computer from sleep via ESMC Wake-Up Call 3 times earlier today to update its ESET Agent, which I had missed earlier. I think those wake-up calls correspond to the scan start times. In ESMC, those are not "Scheduled Scans" but "Automatic Startup File Checks". But I don't know if ESET AV uses the same nomenclature. Would those be 3 of the 4 scans, with the 4th being the one that starts at 12:00?

I guess one of those scans would have been initiated after the Agent update?

Are scans interrupted by the computer sleeping, or do scans keep it awake (or can they be set to do so)?

The Scheduled Scan was originally set to run ASAP if a scan is missed; I've just modified that to scan only if a scan has not been completed in the prior 24 hours. My goal is to avoid having more than one Scheduled Scan running at a time; will this achieve it?

Edited December 5, 2018 by JRV

[Marcos 5,074]

The trigger ASAP means that the task will be executed the next time ekrn.exe starts, ie. after the next computer restart. It is possible that multiple scans are started at once if the computer was in standby or sleep mode the last time the task was to be executed.

With a re-worked scheduler that will be implemented in one of the future versions multiple scans should not run concurrently.

As an administrator I would not schedule on-demand scans, at least not very often (more than once or twice a month probably). The thing is that files are thoroughly scanned with protection modules that leverage even more "aggressive" detections as files enter the machine (e.g. when downloaded from the Internet) and both the memory and autorun locations are scanned after each update, plus Advanced memory scanner scans memory upon execution of files.

[JRV 1]

Marcos, thanks for your reply.

A little wary about backing off on the scheduled scans. At all sites I manage, including ESET sites, scheduled scans pick up malware that real-time scans miss. Presumably because of updated virus definitions. Managed AV, including ESET usually doesn't include a default scheduled scan, but I've learned to always implement one when I inherit a site. And as soon as I do, the console is flooded with malware missed by real-time scans. So the question I have to answer is, how long am I OK with leaving malware on the machine?

But even if I eliminated my scheduled scan, it appears that the other 3 would have run anyway, simultaneously, and that's still 2 too many. Hope the scheduler is re-worked soon!

[Marcos 5,074]

Quote

scheduled scans pick up malware that real-time scans miss.

I would appreciate if you could provide me with some examples of such malware. If a new malware was not recognized and  managed to run, it would have been detected and cleaned by a startup scan which is run after an update or when the system starts.

[JRV 1]

Marcos, I can't give you specifics. This is a general observation from nearly 3 decades of IT experience...but none of it in the last few weeks where I could look it up in logs. It is, however, a fact that when I take over a site that doesn't have scheduled scans (which is most of them) and add one, malware is found. Thereafter, malware is rarely but occasionally found in a scheduled scan that was missed by a real-time scan.

I will not be stopping scheduled scans, but I will eagerly look forward to ESET making the scheduler smart enough so that the 3 OTHER scans, scheduled by default and not by me, don't all run simultaneously. That's ridiculous.