Scheduled scans are one more layer of defense in your security arsenal. Not
scanning increases the risk of compromise. These days you need every layer
you can get! Consider the implications of the zero-day threat. It is quite
possible and plausible that real-time scanning will not detect a malware
object that it doesn't have a signature for. This beastie is now resident
on the system, performing it's programmed intention.
Question: What is the first thing that a modern malware does these days when
successfully executed?
Answer: Discretely de-activate anti-virus and firewall defenses to ensure
its success.
Question: What would be the next function that malware would likely perform?
Answer: Introduce other vulnerabilities and exploitable characteristics to
secure its existence.
Question: What do you think the next wave of viruses are going to behave
like?
Answer: They are going to target smaller groups, avoiding mass attacks so as
to avoid signature development, lock themselves into a system, behave in a
limited fashion to avoid detection, gather and forward info slowly, and
subvert "normal" processes.
If you don't actively scan, you are unlikely to notice that your A/V isn't
working properly.
Most of us rely on the silly little taskbar icon to indicate that A/V is
working in real-time. It's not that hard to write an app that pops an icon
into the system tray to look like A/V is working.
If you don't actively scan, that little malware program may sit on your hard
drive undetected, waiting for your defenses to go down or some other agent
acts to activate it.
If you don't actively scan, there are alternate storage areas that can be
used to store viruses where real-time won't detect it. For one, the Master
Boot Record is a great place to store malware, and it can be reached earlier
in the boot process than A/V software.
If you don't scan, you are relying on a single defense, rather than the full
range of defenses provided by your A/V product.
Just my 2c. Collect the whole dollar!
Mark
-----Original Message-----
From: kyle.moffitt (at) sophos (dot) com [email concealed] [mailto:kyle.moffitt (at) sophos (dot) com [email concealed]]
Sent: Thursday, December 29, 2005 12:07 PM
To: Bruce Martins
Cc: dfox168 (at) hotmail (dot) com [email concealed]; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: Do we still need scheduled scan?
I guess I'm not "telling" anyone anything, except which parameters
generally dictate best practices when considering system-wide scanning
strategy. Either way, "my" AV product is irrelevant to the question posed
-- and further qualified by a legitimate business problem -- which was
essentially "is this additional scan necessary with respect to all my other
defensive measures, AND the substantial overhead it consumes?". If I
thought the conclusion reached based on those parameters was a recipe for
disaster I wouldn't have offered such a reckless suggestion, especially
under my moniker.
Is schedule scanning "pointless"? In a perfect world, no. But as it
stands, its business value may decrease when all other things are
considered. It's just another risk calculation we all must face in this
topsy-turvy world, my friend, so I'm just offering it as I hope you would
take it: FWIW. No apologies necessary.
Kyle Moffitt
Sophos, Inc.
"Bruce Martins"
<BMartins@extend.
COM> To
<kyle.moffitt (at) sophos (dot) com [email concealed]>
12/29/2005 11:43 cc
AM <dfox168 (at) hotmail (dot) com [email concealed]>,
<focus-virus (at) securityfocus (dot) com [email concealed]>
Subject
Re: Do we still need scheduled
scan?
So your telling everyone that scheduled scanning is pointless because your
av products with real time scanning are perfect? That is recipe for
disaster, no impact on a user that isn't there running a full scan every
hour doesn't make sense either, using all of the capabilities of the
products is best and having a fall back layer of a scheduled full system
scan doesn't hurt, calling this costly is nothing compared to lost data or
downtime to the user and or network
Apologies if I misread your response as I am on the move at the moment
Bruce Martins
Systems Administrator
EXTEND>>MEDIA
190 Liberty Street
Toronto, Ontario
Canada
M6K 3L5
_______________________
e:bmartins (at) extend (dot) com [email concealed]
t: (416) 535-4222 ext. 2307
f: (416) 535-1201
http://www.extend.com
--------------------------
Sent from my BlackBerry Wireless Handheld
-----Original Message-----
From: kyle.moffitt (at) sophos (dot) com [email concealed] <kyle.moffitt (at) sophos (dot) com [email concealed]>
To: Bruce Martins <BMartins (at) extend (dot) COM [email concealed]>
CC: dfox168 (at) hotmail (dot) com [email concealed] <dfox168 (at) hotmail (dot) com [email concealed]>;
focus-virus (at) securityfocus (dot) com [email concealed] <focus-virus (at) securityfocus (dot) com [email concealed]>
Sent: Thu Dec 29 10:35:10 2005
Subject: Re: Do we still need scheduled scan?
This approach presumes updates are infrequent (> 1hr apart), and/or
innacurate or expensive proactive detection is employed. The cost/benefit
of relying on on-access scanning (esp. for client machines) vs. costly and
redundant scheduled scanning is almost always in the end user's favor.
FYI, best practices differ based on the engineering of AV software, and a
particular vendor's global response capability to emerging threats.
Suffice to say, no two AV are alike.
Kyle Moffitt
Sophos, Inc.
"Bruce Martins"
<BMartins@extend.
COM> To
<dfox168 (at) hotmail (dot) com [email concealed]>,
12/29/2005 09:59 <focus-virus (at) securityfocus (dot) com [email concealed]>
AM cc
Subject
Re: Do we still need scheduled
scan?
You should still run a scheduled scan sometimes things are missed in
between dat file updates, if you run the scan late at night there should be
minimal impact.
Bruce Martins
Systems Administrator
EXTEND>>MEDIA
190 Liberty Street
Toronto, Ontario
Canada
M6K 3L5
_______________________
e:bmartins (at) extend (dot) com [email concealed]
t: (416) 535-4222 ext. 2307
f: (416) 535-1201
http://www.extend.com
--------------------------
Sent from my BlackBerry Wireless Handheld
-----Original Message-----
From: Doug Fox <dfox168 (at) hotmail (dot) com [email concealed]>
To: focus-virus (at) securityfocus (dot) com [email concealed] <focus-virus (at) securityfocus (dot) com [email concealed]>
Sent: Wed Dec 28 17:28:04 2005
Subject: Do we still need scheduled scan?
If we have already implemented virus scan at the gateway, on the mail
server, on individual servers, and real time scan on workstations/laptops,
do we still need scheduled, e.g., weekly, scan on workstations and laptops
as well as servers?
scanning increases the risk of compromise. These days you need every layer
you can get! Consider the implications of the zero-day threat. It is quite
possible and plausible that real-time scanning will not detect a malware
object that it doesn't have a signature for. This beastie is now resident
on the system, performing it's programmed intention.
Question: What is the first thing that a modern malware does these days when
successfully executed?
Answer: Discretely de-activate anti-virus and firewall defenses to ensure
its success.
Question: What would be the next function that malware would likely perform?
Answer: Introduce other vulnerabilities and exploitable characteristics to
secure its existence.
Question: What do you think the next wave of viruses are going to behave
like?
Answer: They are going to target smaller groups, avoiding mass attacks so as
to avoid signature development, lock themselves into a system, behave in a
limited fashion to avoid detection, gather and forward info slowly, and
subvert "normal" processes.
If you don't actively scan, you are unlikely to notice that your A/V isn't
working properly.
Most of us rely on the silly little taskbar icon to indicate that A/V is
working in real-time. It's not that hard to write an app that pops an icon
into the system tray to look like A/V is working.
If you don't actively scan, that little malware program may sit on your hard
drive undetected, waiting for your defenses to go down or some other agent
acts to activate it.
If you don't actively scan, there are alternate storage areas that can be
used to store viruses where real-time won't detect it. For one, the Master
Boot Record is a great place to store malware, and it can be reached earlier
in the boot process than A/V software.
If you don't scan, you are relying on a single defense, rather than the full
range of defenses provided by your A/V product.
Just my 2c. Collect the whole dollar!
Mark
-----Original Message-----
From: kyle.moffitt (at) sophos (dot) com [email concealed] [mailto:kyle.moffitt (at) sophos (dot) com [email concealed]]
Sent: Thursday, December 29, 2005 12:07 PM
To: Bruce Martins
Cc: dfox168 (at) hotmail (dot) com [email concealed]; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: Do we still need scheduled scan?
I guess I'm not "telling" anyone anything, except which parameters
generally dictate best practices when considering system-wide scanning
strategy. Either way, "my" AV product is irrelevant to the question posed
-- and further qualified by a legitimate business problem -- which was
essentially "is this additional scan necessary with respect to all my other
defensive measures, AND the substantial overhead it consumes?". If I
thought the conclusion reached based on those parameters was a recipe for
disaster I wouldn't have offered such a reckless suggestion, especially
under my moniker.
Is schedule scanning "pointless"? In a perfect world, no. But as it
stands, its business value may decrease when all other things are
considered. It's just another risk calculation we all must face in this
topsy-turvy world, my friend, so I'm just offering it as I hope you would
take it: FWIW. No apologies necessary.
Kyle Moffitt
Sophos, Inc.
"Bruce Martins"
<BMartins@extend.
COM> To
<kyle.moffitt (at) sophos (dot) com [email concealed]>
12/29/2005 11:43 cc
AM <dfox168 (at) hotmail (dot) com [email concealed]>,
<focus-virus (at) securityfocus (dot) com [email concealed]>
Subject
Re: Do we still need scheduled
scan?
So your telling everyone that scheduled scanning is pointless because your
av products with real time scanning are perfect? That is recipe for
disaster, no impact on a user that isn't there running a full scan every
hour doesn't make sense either, using all of the capabilities of the
products is best and having a fall back layer of a scheduled full system
scan doesn't hurt, calling this costly is nothing compared to lost data or
downtime to the user and or network
Apologies if I misread your response as I am on the move at the moment
Bruce Martins
Systems Administrator
EXTEND>>MEDIA
190 Liberty Street
Toronto, Ontario
Canada
M6K 3L5
_______________________
e:bmartins (at) extend (dot) com [email concealed]
t: (416) 535-4222 ext. 2307
f: (416) 535-1201
http://www.extend.com
--------------------------
Sent from my BlackBerry Wireless Handheld
-----Original Message-----
From: kyle.moffitt (at) sophos (dot) com [email concealed] <kyle.moffitt (at) sophos (dot) com [email concealed]>
To: Bruce Martins <BMartins (at) extend (dot) COM [email concealed]>
CC: dfox168 (at) hotmail (dot) com [email concealed] <dfox168 (at) hotmail (dot) com [email concealed]>;
focus-virus (at) securityfocus (dot) com [email concealed] <focus-virus (at) securityfocus (dot) com [email concealed]>
Sent: Thu Dec 29 10:35:10 2005
Subject: Re: Do we still need scheduled scan?
This approach presumes updates are infrequent (> 1hr apart), and/or
innacurate or expensive proactive detection is employed. The cost/benefit
of relying on on-access scanning (esp. for client machines) vs. costly and
redundant scheduled scanning is almost always in the end user's favor.
FYI, best practices differ based on the engineering of AV software, and a
particular vendor's global response capability to emerging threats.
Suffice to say, no two AV are alike.
Kyle Moffitt
Sophos, Inc.
"Bruce Martins"
<BMartins@extend.
COM> To
<dfox168 (at) hotmail (dot) com [email concealed]>,
12/29/2005 09:59 <focus-virus (at) securityfocus (dot) com [email concealed]>
AM cc
Subject
Re: Do we still need scheduled
scan?
You should still run a scheduled scan sometimes things are missed in
between dat file updates, if you run the scan late at night there should be
minimal impact.
Bruce Martins
Systems Administrator
EXTEND>>MEDIA
190 Liberty Street
Toronto, Ontario
Canada
M6K 3L5
_______________________
e:bmartins (at) extend (dot) com [email concealed]
t: (416) 535-4222 ext. 2307
f: (416) 535-1201
http://www.extend.com
--------------------------
Sent from my BlackBerry Wireless Handheld
-----Original Message-----
From: Doug Fox <dfox168 (at) hotmail (dot) com [email concealed]>
To: focus-virus (at) securityfocus (dot) com [email concealed] <focus-virus (at) securityfocus (dot) com [email concealed]>
Sent: Wed Dec 28 17:28:04 2005
Subject: Do we still need scheduled scan?
If we have already implemented virus scan at the gateway, on the mail
server, on individual servers, and real time scan on workstations/laptops,
do we still need scheduled, e.g., weekly, scan on workstations and laptops
as well as servers?
Schdeuled scans really slow down some machines.
Any comments are appreciated.
Thanks,
Doug
--
Kyle Moffitt
Senior Account Executive, Sophos
Tel: 781 973 0110
Web: www.sophos.com
Sophos - integrated threat management
--
Kyle Moffitt
Senior Account Executive, Sophos
Tel: 781 973 0110
Web: www.sophos.com
Sophos - integrated threat management
[ reply ]