Focus on Virus
Back to list
RE: Do we still need scheduled scan?
Dec 30 2005 12:39AM
Sewell, Cathy (csewell mbari org)
Hi Robert -
We have had situations where the real-time scan was not catching malware that the scheduled scan was catching, and the files weren't large zip files. I agree with you that these malware files were not "of immediate effect", and, of course, though it's happened twice, the situation was unusual. But it does happen, and beyond your example of a large zip file. For us, of course, this resulted in ensuing discussions with our anti-virus vendors, who confirmed that the "real-time" products might not catch malware that our regular scheduled scans (same product; same engine; same definitions file) would catch due to the prioritization necessary for speediest real-time scan performance, especially on a desktop. I think we may be saying the same thing. None the less, all major vendors recommend scheduled scans in addition to real-time scanners.
Going with your argument to rely on real-time scans, those "embedded" malware files, ignored by the real-time scan, would then be stored on your systems. It does happen that real-time scanners are sometimes either accidentally or purposely turned off. Perhaps the real-time scanning service unexpectedly didn't start on the mail server because of a patch or a startup conflict. Perhaps a user turned off their desktop real-time scanner because it interfered with a software install, or because it was causing a performance impact while they were crunching a complicated computation. Then there is the otherwise intelligent users who naively report "I turn it off because I'm protected behind the company firewall." Even the savviest user could forget to turn the real-time scanner back on before opening other files. Those computers are vulnerable to the now lurking "embedded" malware files, with no protective real-time scan barrier. The user just has to touch the file...
Real time scanning is very important, certainly a powerful and favorite tool. Yet relying solely on real-time scanning is inadequate. It is worthwhile to run regular scheduled scans, in addition to real-time scans. Layers of defense...
From: Robert Sandilands [mailto:rsandilands (at) authentium (dot) com [email concealed]]
Sent: Thursday, December 29, 2005 9:14 AM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: Do we still need scheduled scan?
Real-time scanners should catch all malware that can directly affect
you. But it may decide not to scan that 500 MB zip file for performance
reasons. That file may contain a virus and a scheduled scan will detect
that. But there is no direct way you can be affected by that virus
without extracting the file, at which time the real-time scanner will
Sewell, Cathy wrote:
>>From discussions with the anti-virus vendors during various crises over the years, I've learned that the real-time scans are optimized for speed, while the scheduled scans are focused on thoroughness. This means, disturbingly, that malware can elude the real-time scan, yet be caught by the more-thorough scheduled scan. Hence the anti-virus vendors continued recommendations to run weekly scheduled local scans on all computers.
>From: Doug Fox [mailto:dfox168 (at) hotmail (dot) com [email concealed]]
>Sent: Wednesday, December 28, 2005 2:28 PM
>To: focus-virus (at) securityfocus (dot) com [email concealed]
>Subject: Do we still need scheduled scan?
>If we have already implemented virus scan at the gateway, on the mail
>server, on individual servers, and real time scan on workstations/laptops,
>do we still need scheduled, e.g., weekly, scan on workstations and laptops
>as well as servers?
>Schdeuled scans really slow down some machines.
>Any comments are appreciated.
Robert Sandilands: Software Engineer
Authentium: Home of Command Software
[ reply ]
Re: Do we still need scheduled scan?
Dec 30 2005 02:42AM
Robert Sandilands (rsandilands authentium com)
Copyright 2010, SecurityFocus