Windows Server Manager Shows “Core Scanning Server” Stopped After Quick Heal Update – Explanation & Resolution

📅 06 Jan 2026 📂 General 👁 52 views

System administrators running Windows Server with enterprise antivirus and EDR solutions may occasionally observe a temporary service alert in Server Manager, indicating that the “Core Scanning Server” service is stopped.
This alert often appears during or immediately after a Quick Heal Antivirus update and then disappears automatically without manual intervention.

This knowledge base article explains why this behavior occurs, how to validate system security, and what actions (if any) are required, especially in environments using Quick Heal Antivirus Server Edition together with CatchPulse.

Affected Environment

Component	Details
Operating System	Windows Server 2016 / 2019 / 2022
Antivirus	Quick Heal Antivirus Server Edition
EDR / Behavioral Protection	CatchPulse
Monitoring Tool	Windows Server Manager
Service Name	Core Scanning Server
Executable	`SAPISSVC.EXE`

Technical Explanation

What is the Core Scanning Server service?

It is a Quick Heal internal scanning engine
Responsible for on-demand and real-time malware scanning

Installed at:

C:\Program Files\Quick Heal\Quick Heal AntiVirus\SAPISSVC.EXE

Why does the service start and stop automatically?

Unlike native Windows services, this service is:

Event-driven
Starts only when scanning is required
Stops automatically when idle
Fully controlled by the Quick Heal engine

This is by design.

Why the Server Manager Alert Appears

Windows Server Manager flags any service that is:

Set to Automatic
But currently Stopped

It does not understand third-party antivirus service logic, so it raises a false operational alert, even though protection remains active.

Why the Alert Disappears After Quick Heal Update

During a Quick Heal update:

Antivirus engine components are temporarily unloaded
Virus definitions and scanning DLLs are updated
Core scanning components re-register with Windows
Server Manager re-checks service state
Alert clears automatically once the engine stabilizes

✔ This confirms successful update and service health

Validating That the Server Is Secure

Quick Heal Console Checks (Authoritative)

Ensure the following show Green / Enabled:

Real-Time Protection
Virus Protection
Malware Protection
Firewall / IDS / IPS
Virus Database Updated
Valid License

If these are green → Server is protected

Use Cases

Scenario	Interpretation
Alert appears during update	Normal behavior
Alert clears automatically	No action required
Quick Heal dashboard green	Security intact
CatchPulse active	Layered protection healthy
Alert persists + Quick Heal red	Requires investigation

Step-by-Step Validation Procedure

Step 1: Check Quick Heal Status

Open Quick Heal Antivirus Server Edition
Go to Status
Confirm System is Secure

Step 2: Optional Malware Test (EICAR)

Create a file with the following content:


X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

✔ If Quick Heal blocks or deletes it → scanning engine is active

Step 3: Confirm CatchPulse Status

Ensure CatchPulse agent is running
Check no Quick Heal binaries are blocked
Verify behavioral monitoring is enabled

Commands & Examples

Verify Service State (for reference only)


Get-Service -Name "Core Scanning Server"

Note: Stopped state is acceptable if Quick Heal UI is healthy.

Common Issues & Fixes

Issue	Cause	Resolution
Alert appears briefly	AV update in progress	Ignore
Alert clears automatically	Engine reload	Expected
Service won’t stay running	On-demand design	Do not force
Persistent alert + AV red	Corrupt install	Repair Quick Heal
Scan fails	Definition issue	Manual update

Security Considerations

Do not rely on Server Manager alone for security validation
Always use the antivirus console as the source of truth
Ensure coexistence exclusions between AV and EDR
Keep antivirus definitions and licenses current

Best Practices

Treat transient AV service alerts as informational
Document antivirus update windows in SOPs
Use layered security:
- Quick Heal → signature & file-based protection
- CatchPulse → behavioral & execution control
Use Server Manager only for core Windows services
Capture Quick Heal “System is Secure” screenshots for audits

Conclusion

The Core Scanning Server alert observed in Windows Server Manager after a Quick Heal update is normal, expected behavior.
The service is on-demand by design, and its automatic stop does not indicate a security issue.

If the Quick Heal dashboard shows System is Secure, and CatchPulse is active, the server is fully protected.

#WindowsServer #QuickHeal #CoreScanningServer #AntivirusServer #ServerSecurity
#EDR #CatchPulse #WindowsServer2019 #WindowsServer2022 #ITOperations
#ServerManager #CyberSecurity #EnterpriseSecurity #MalwareProtection
#RansomwareProtection #AVUpdate #SecurityMonitoring #ITAdmin
#ServerMaintenance #InfoSec #EndpointSecurity #SecurityBestPractices
#SOC #ServerHardening #AuditReady #ITSupport #AVManagement
#ServerAlerts #FalsePositive #SecurityOps #InfrastructureSecurity

quick heal core scanning server core scanning server stopped quick heal antivirus server edition windows server manager alert quick heal update behavior sapissvc.exe antivirus service stopped automatically windows server antivirus alert quick heal