I am using Endpoint agent v12 to do DAR discovery for PCI data on one production PC.
- One vanilla PCI DSS policy - No exceptions to the credit card number DI, Wide breadth, No optional validators, Count all unique matches (at least 1 match), Subject/Body/Attachments. No EDM or IDM.
- The Discover Target does not contain any Include/Exclude filters for file types or location, nothing filtered by size or date, 'Only scan files added or modified since the last full scan' is unchecked and 'Make next scan a full scan' is greyed out. Scan idle timeout is 10 minutes and Max scan duration is 2 days.
A full scan of the PC is kicked off and takes 8 hours 10 minutes to complete, producing zero Incidents. Time required to scan is about half of what has been seen to scan the same (or similar) PC. Thinking that the scan time and results are a little too good to be true, another full scan is kicked off the following day. The second scan takes 13 hours 48 minutes to complete, producing 125 Incidents.
Looking at the statistics reports for each day, items scanned and bytes scanned numbers are very close, but the items unprocessable numbers differ greatly
- On the day the scan completed in 8 hours, 53,677 items unprocessable
- On the day the scan completed in 13 hours, 435 items unprocessable
At a high level, I'm looking at the difference between these numbers as the reason for the shorter scan time. Are there specific places in the agent logs that can help explain this?