21.13 Full-Disk Scan
Users can set scan tasks on multiple clients simultaneously to scan local disks and encrypt/decrypt specified files. A single client can have multiple encrypt/decrypt tasks, which are executed in the order they were created.
Administrators with Encryption Function – Task Management permission can access the encryption management main window via the Document Security Management menu, then select Full-Disk Scan to configure full-disk scan and encryption/decryption tasks.
Note: Full-disk scan is also supported on Mac and Linux clients.
21.13.1 Disk Scan Task Settings
Full-Disk Scan Encryption Task
Steps to set up a full-disk scan encryption task:
- 1. Select one or more client machines, click the Add button, and choose Create Encryption Task from the menu to open the task creation dialog.
- 2. In the General tab, configure the general settings.
- 3. Switch to the Advanced tab to configure advanced settings.
- 4. After completing the settings, click OK to create the scan encryption task successfully.
General Settings Description:
| Task Name |
The name of the current task. A default value is automatically provided and can be modified. |
| Select Targets |
Choose the target computers. Previously selected clients are pre-checked, and you can add or remove selections. |
| Scan Path |
Specify the scan paths. By default, all local drives are included. You can set local paths, network paths, or mapped drive paths. Multiple paths can be separated by commas or semicolons. You can use specific drive letters (e.g., C:\;D:\) or predefined identifiers to scan corresponding drive types. Currently, three identifiers are supported:
- Local Drives: _local — scans all local drives on the client.
- Portable Drives: _portable — scans all connected portable devices, including USB drives, secure USB drives, encrypted drives, and external hard drives. Does not support encrypted workspaces, mobile phones, or optical drives.
- Mapped Drives: _map — scans all locally mapped drives on the client.
|
| Include Files |
Files within this scope will be scanned and encrypted. You can select from predefined file types or click the  button to manually enter file types. Wildcards are supported (e.g., *.doc, C:\*, D:\test\*.txt). |
| Exclude Files |
Files within this scope will not be scanned or encrypted. You can select from predefined file types or click the button to manually enter file types. Wildcards are supported (e.g., *.doc, C:\*, D:\test\*.txt). |
| Filter Files |
By default, some system files are excluded. Click the  button to view the specific filtered files. To include these files in the scan, add them to the Include Files list. |
Note:
- The priority among Include Files, Exclude Files, and Filter Files is: Exclude > Include > Filter.
Advanced Settings Description:
| Settings Option |
Description |
| Task Options |
Configure the actions to be performed during the task. |
| Encrypt Plaintext to Ciphertext |
Plain files detected during the scan will be encrypted. |
| Change Document Properties for Ciphertext |
Encrypted files detected during the scan will have their document properties modified. Three options are available:
- Public–Normal Change: Only changes the access permissions of encrypted files with the "Public–Normal" attribute.
- Change Lower-Level to Higher-Level: Compares the original and new permissions of encrypted documents. If the original permission level is lower than the new one, it will be updated.
- Comparison rules:
- 1. Within the same security zone, compare security levels.
- 2. Across different security zones, the public zone is lower than other zones.
- 3. Between non-public zones, there is no hierarchy.
- Force Change: Overrides the original security attributes, applying the new settings regardless of the original attributes.
|
| Document Properties |
Configure the properties applied to files after encryption, including permissions, access rights, and user rights. |
| Document Settings |
Set the document’s permissions and access rights. Default is Public–Normal. |
| User Rights |
When enabled, specify creator identity, target users, and permissions. Encrypted files will carry these user rights.
- Creator Identity: Choose from Machine-Associated User, Last Logged-In User, or Specified User. Selecting Specified User opens the user organizational tree via the button to select the desired user.
- Document Targets & Permission: By default, includes <Creator>, which cannot be deleted. To add reader objects, click the
 button to open the organizational tree and select users or roles as document readers.
- Associated Permission: Document permissions include Read, Modify, Copy, Print, Screenshot, Decrypt, and Set Permissions.
|
| Performance Settings |
Configure system performance during task execution. |
| Scan Speed Priority |
Scanning is faster but may impact system performance. Recommended for non-working hours. |
| System Performance Priority |
Scanning is slower, minimizing resource usage and preserving system performance. Recommended for working hours. |
| Scan Only When Idle |
Scanning and encryption occur only when the client is idle. The client is considered idle when its status in the console shows Running (Idle). |
| Scan Time Period |
Set the start time for the scan and encryption task. Select the desired time category from the dropdown menu, which corresponds to the categories defined in Time Type Management. |
| File Size |
Only files within this size range will be encrypted. |
Note:
- 1. If Include Files is empty or no target computers are selected, the scan and encryption task cannot be created.
- 2. When an administrator creates an encryption task and sets document security properties, it is subject to their own security zone and level restrictions.
- 3. Once a full-disk scan encryption task is created, its settings cannot be modified. Ensure all settings are confirmed before creating the task.
Full-Disk Scan Decryption Task
Steps to set up a full-disk scan decryption task:
- 1. Select one or more client machines, click the Add
button, and choose Create Decryption Task from the menu to open the task creation dialog.
- 2. In the General tab, configure the general settings.
- 3. Switch to the Advanced tab to configure advanced settings.
- 4. After completing the settings, click OK to create the scan decryption task successfully.
General Settings Description:
| Settings Option |
Description |
| Task Name |
The name of the current task. A default value is automatically provided and can be modified. |
| Select Targets |
Choose target computers. Previously selected clients are pre-checked, and you can add more. Use the search bar to enter a target name for fuzzy matching; clicking search once locates the next matching object. |
| Scan Path |
Specify the scan paths. By default, all local drives are included. You can set local paths, network paths, or mapped drive paths. Multiple paths can be separated by commas or semicolons. You can use specific drive letters (e.g., C:\;D:\) or predefined identifiers to scan corresponding drive types. Currently, three identifiers are supported:
- Local Drives: _local — scans all local drives on the client.
- Portable Drives: _portable — scans all connected portable devices, including USB drives, secure USB drives, encrypted drives, and external hard drives. Does not support encrypted workspaces, mobile phones, or optical drives.
- Mapped Drives: _map — scans all locally mapped drives on the client.
|
| Include Files |
Files within this scope will be scanned and decrypted. By default, all files are decrypted. You can select from predefined file types or click the button to manually enter file types. Wildcards are supported (e.g., *.doc, C:\*, D:\test\*.txt). |
| Exclude Files |
Files within this scope will not be scanned or decrypted. You can select from predefined file types or click the button to manually enter file types. Wildcards are supported (e.g., *.doc, C:\*, D:\test\*.txt). |
Advanced Settings Description
| Settings |
Description |
| File Security Attributes |
Specify which encrypted files will be decrypted based on access permissions and security attributes. |
| All Zones, All Levels |
Select to decrypt encrypted files in all zones and levels. |
| All Zones, Specific Level |
Select this option and specify a level to decrypt encrypted files in all zones at that level. |
| Specific Zone, Specific Level |
Select this option and specify a zone and level. Encrypted files with access permissions equal to or lower than this setting will be decrypted. |
| Performance Settings |
Configure system performance during task execution. |
| Scan Speed Priority |
Scanning is faster but may impact system performance. Recommended for non-working hours. |
| System Performance Priority |
Scanning is slower, reducing resource usage and preserving system performance. Recommended for working hours. |
| Scan Only When Idle |
Scanning and decryption occur only when the client is idle. The client is considered idle when its status in the console shows Running (Idle). |
| Scan Time Period |
Set the start time for the scan and decryption task. Select the desired time category from the dropdown menu, corresponding to Time Type Management categories. |
| File Size |
Only files within this size range will be decrypted. |
Note:
-
- 1. If no target computers are selected, the scan and decryption task cannot be created.
- 2. When an administrator creates a decryption task and sets document security properties, it is restricted by their own security zone and level.
- 3. Once a full-disk scan decryption task is created, its settings cannot be modified. Ensure all settings are confirmed before creating the task.
- 4. Encrypted files without user rights will be decrypted according to the specified security attributes.
- 5. For encrypted files with user rights:
If File Security Attributes is set to All Zones, All Levels, user rights are ignored and all documents are decrypted.
If set to All Zones, Specific Level or Specific Zone, Specific Level, only documents readable by all users will be decrypted. Documents with restricted user access will not be decrypted.
21.13.2 View Task Information
Multiple encrypt/decrypt tasks can be set for a single client. Tasks are executed in the order they were created. The task currently being executed is the Current Task, while tasks waiting to be executed are Pending Tasks. Once the current task is completed, the next pending task automatically becomes the current task.
Current Task Information
In the upper view of the full-disk scan interface, you can view the basic information of the task currently being executed on each client.
| Item |
Description |
| Computer |
The name of the client computer. |
| Group |
The name of the group the client belongs to. |
| Scan Function |
Status of the scan function: Enabled or Disabled. When enabled, full-disk tasks can be executed; when disabled, full-disk tasks are paused. The default status is Enabled. |
| Current Task |
The name of the full-disk task currently being executed on the client. |
| Current Task Status |
Status of the full-disk task currently being executed on the client:
- 1. Enabled: Task is running; status shows Started.
- 2. Disabled: Task is paused; status shows Paused.
- 3. During starting or pausing, the status shows Starting or Pausing.
- 4. Upon completion, status shows Completed.
|
| Start Time |
The start time of the full-disk task currently being executed on the client. |
| Progress |
The completion progress of the current full-disk task, automatically updated in real time. |
Other Task Information
Select a client, and in the Task Information tab in the lower view of the full-disk scan interface, you can view not only the current task but also the pending tasks for that client. The details include all settings configured when each encryption or decryption task was created.
Note:
- Full-disk scan tasks are executed only once and are not retained after completion. Subsequent tasks will then be executed.
- Special Case:
If the last task for a client (with no pending tasks) is completed, its information remains in the Current Task section of the full-disk scan interface. Performing Disable Scan Function → Enable Scan Function on that client will re-execute the task, which is useful for scenarios requiring the same task to be run periodically.
21.13.3 View Task Logs
In the full-disk scan interface, select a client and open the Task Logs tab in the lower view to view the logs of tasks executed on that client. Use the Refresh button on the toolbar to update the log view.
| Item |
Description |
| Time |
The timestamp when the log entry was generated. |
| Task Name |
The name of the task currently being executed. |
| Content |
Includes the task's completion percentage, the directory currently being scanned, and key information about the task (including include and exclude conditions). |
21.13.4 Enable/Disable Scan Function
Disable
The scan function on a client is enabled by default. In the full-disk scan interface, select one or more clients and click the Disable button 
or choose Disable Scan Function from the right-click menu. The scan function on the selected clients will be disabled, and any running tasks will be paused
Enable
Select one or more clients with the scan function disabled, then click the Enable button 
or choose Enable Scan Function from the right-click menu. The scan function on the selected clients will be enabled. Any paused tasks will resume, and subsequent tasks will execute in order.
21.13.5 Delete Task
Select one or more clients, then click the Delete button or choose Delete Client Task from the right-click menu. All tasks for the selected clients, including the current and pending tasks, will be deleted.
21.13.6 Search Client Tasks
Search
Click the Search button 
to open the Select Query Object dialog. Choose the desired client or client group and click OK. The client list will then display only the clients matching the search criteria for targeted viewing.
Mode
Click the Mode Switch button 
to choose between displaying All Clients or only Clients with Tasks.
Don't see what you're looking for?
