Use the following information to verify the on-access scan compliance status for both managed and unmanaged systems:
- For standalone or unmanaged systems, view the compliance status using the following command:
/opt/isec/ens/threatprevention/bin/isecav --getoasconfig --summary
- For Policy Orchestrator (ePO) managed systems, view the compliance status in the ePO console using the predefined query Endpoint Security Threat Prevention: On-Access Scan Compliance Status.
Below are the possible on-access scan (OAS) compliance statuses:
- Enabled and Compliant—The OAS configuration is enabled and all Threat Prevention processes (Scan Factory and OAS manager process) are running.
- Enabled and Noncompliant—The OAS configuration is enabled, but some of the Threat Prevention processes (either Scan Factory or OAS manager process) are not running.
- This issue can happen when OAS is enabled, but FANOTIFY support or kernel modules could not be loaded.
- This issue can be shown when OAS is still initializing. Depending on available system resources and DAT size, it might take some time for Scan Factory and OAS manager to start completely. Until then, it shows as Noncompliant.
- Disabled and Compliant—The OAS configuration is disabled and the OAS manager process is not running. The Scan Factory might be running because of on-demand scan.
- Disabled and Noncompliant—The OAS configuration is disabled but the OAS manager process is running.
