I am the last person to say that you should only have real-time
scanning. That would not be wise, but I wanted to introduce some
information into a discussion which seems to have gone the way of
discounting the value of real-time scanning.
I would also add intrusion detection/prevention, firewalls and gateway
scanners and proxies to the list of security policies to consider.
In the end it is all about what is an acceptable level of security for
you and how to get to that level while maintaining an usable
network/desktop.
Robert Sandilands
Sewell, Cathy wrote:
>Hi Robert -
>
>We have had situations where the real-time scan was not catching malware that the scheduled scan was catching, and the files weren't large zip files. I agree with you that these malware files were not "of immediate effect", and, of course, though it's happened twice, the situation was unusual. But it does happen, and beyond your example of a large zip file. For us, of course, this resulted in ensuing discussions with our anti-virus vendors, who confirmed that the "real-time" products might not catch malware that our regular scheduled scans (same product; same engine; same definitions file) would catch due to the prioritization necessary for speediest real-time scan performance, especially on a desktop. I think we may be saying the same thing. None the less, all major vendors recommend scheduled scans in addition to real-time scanners.
>
>Going with your argument to rely on real-time scans, those "embedded" malware files, ignored by the real-time scan, would then be stored on your systems. It does happen that real-time scanners are sometimes either accidentally or purposely turned off. Perhaps the real-time scanning service unexpectedly didn't start on the mail server because of a patch or a startup conflict. Perhaps a user turned off their desktop real-time scanner because it interfered with a software install, or because it was causing a performance impact while they were crunching a complicated computation. Then there is the otherwise intelligent users who naively report "I turn it off because I'm protected behind the company firewall." Even the savviest user could forget to turn the real-time scanner back on before opening other files. Those computers are vulnerable to the now lurking "embedded" malware files, with no protective real-time scan barrier. The user just has to touch the file...
>
>Real time scanning is very important, certainly a powerful and favorite tool. Yet relying solely on real-time scanning is inadequate. It is worthwhile to run regular scheduled scans, in addition to real-time scans. Layers of defense...
>
>- CSewell
>
>-----Original Message-----
>From: Robert Sandilands [mailto:rsandilands (at) authentium (dot) com [email concealed]]
>Sent: Thursday, December 29, 2005 9:14 AM
>To: focus-virus (at) securityfocus (dot) com [email concealed]
>Subject: Re: Do we still need scheduled scan?
>
>Hi Cathy,
>
>Real-time scanners should catch all malware that can directly affect
>you. But it may decide not to scan that 500 MB zip file for performance
>reasons. That file may contain a virus and a scheduled scan will detect
>that. But there is no direct way you can be affected by that virus
>without extracting the file, at which time the real-time scanner will
>protect you.
>
>Robert Sandilands
>
>Sewell, Cathy wrote:
>
>
>
>>>From discussions with the anti-virus vendors during various crises over the years, I've learned that the real-time scans are optimized for speed, while the scheduled scans are focused on thoroughness. This means, disturbingly, that malware can elude the real-time scan, yet be caught by the more-thorough scheduled scan. Hence the anti-virus vendors continued recommendations to run weekly scheduled local scans on all computers.
>>
>>- CSewell
>>
>>-----Original Message-----
>>From: Doug Fox [mailto:dfox168 (at) hotmail (dot) com [email concealed]]
>>Sent: Wednesday, December 28, 2005 2:28 PM
>>To: focus-virus (at) securityfocus (dot) com [email concealed]
>>Subject: Do we still need scheduled scan?
>>
>>If we have already implemented virus scan at the gateway, on the mail
>>server, on individual servers, and real time scan on workstations/laptops,
>>do we still need scheduled, e.g., weekly, scan on workstations and laptops
>>as well as servers?
>>
>>Schdeuled scans really slow down some machines.
>>
>>Any comments are appreciated.
>>
>>Thanks,
>>
>>Doug
>>
>>
>>
>>
>>
>
>
>
>
I am the last person to say that you should only have real-time
scanning. That would not be wise, but I wanted to introduce some
information into a discussion which seems to have gone the way of
discounting the value of real-time scanning.
I would also add intrusion detection/prevention, firewalls and gateway
scanners and proxies to the list of security policies to consider.
In the end it is all about what is an acceptable level of security for
you and how to get to that level while maintaining an usable
network/desktop.
Robert Sandilands
Sewell, Cathy wrote:
>Hi Robert -
>
>We have had situations where the real-time scan was not catching malware that the scheduled scan was catching, and the files weren't large zip files. I agree with you that these malware files were not "of immediate effect", and, of course, though it's happened twice, the situation was unusual. But it does happen, and beyond your example of a large zip file. For us, of course, this resulted in ensuing discussions with our anti-virus vendors, who confirmed that the "real-time" products might not catch malware that our regular scheduled scans (same product; same engine; same definitions file) would catch due to the prioritization necessary for speediest real-time scan performance, especially on a desktop. I think we may be saying the same thing. None the less, all major vendors recommend scheduled scans in addition to real-time scanners.
>
>Going with your argument to rely on real-time scans, those "embedded" malware files, ignored by the real-time scan, would then be stored on your systems. It does happen that real-time scanners are sometimes either accidentally or purposely turned off. Perhaps the real-time scanning service unexpectedly didn't start on the mail server because of a patch or a startup conflict. Perhaps a user turned off their desktop real-time scanner because it interfered with a software install, or because it was causing a performance impact while they were crunching a complicated computation. Then there is the otherwise intelligent users who naively report "I turn it off because I'm protected behind the company firewall." Even the savviest user could forget to turn the real-time scanner back on before opening other files. Those computers are vulnerable to the now lurking "embedded" malware files, with no protective real-time scan barrier. The user just has to touch the file...
>
>Real time scanning is very important, certainly a powerful and favorite tool. Yet relying solely on real-time scanning is inadequate. It is worthwhile to run regular scheduled scans, in addition to real-time scans. Layers of defense...
>
>- CSewell
>
>-----Original Message-----
>From: Robert Sandilands [mailto:rsandilands (at) authentium (dot) com [email concealed]]
>Sent: Thursday, December 29, 2005 9:14 AM
>To: focus-virus (at) securityfocus (dot) com [email concealed]
>Subject: Re: Do we still need scheduled scan?
>
>Hi Cathy,
>
>Real-time scanners should catch all malware that can directly affect
>you. But it may decide not to scan that 500 MB zip file for performance
>reasons. That file may contain a virus and a scheduled scan will detect
>that. But there is no direct way you can be affected by that virus
>without extracting the file, at which time the real-time scanner will
>protect you.
>
>Robert Sandilands
>
>Sewell, Cathy wrote:
>
>
>
>>>From discussions with the anti-virus vendors during various crises over the years, I've learned that the real-time scans are optimized for speed, while the scheduled scans are focused on thoroughness. This means, disturbingly, that malware can elude the real-time scan, yet be caught by the more-thorough scheduled scan. Hence the anti-virus vendors continued recommendations to run weekly scheduled local scans on all computers.
>>
>>- CSewell
>>
>>-----Original Message-----
>>From: Doug Fox [mailto:dfox168 (at) hotmail (dot) com [email concealed]]
>>Sent: Wednesday, December 28, 2005 2:28 PM
>>To: focus-virus (at) securityfocus (dot) com [email concealed]
>>Subject: Do we still need scheduled scan?
>>
>>If we have already implemented virus scan at the gateway, on the mail
>>server, on individual servers, and real time scan on workstations/laptops,
>>do we still need scheduled, e.g., weekly, scan on workstations and laptops
>>as well as servers?
>>
>>Schdeuled scans really slow down some machines.
>>
>>Any comments are appreciated.
>>
>>Thanks,
>>
>>Doug
>>
>>
>>
>>
>>
>
>
>
>
--
#include http://robert.rsa3.com/disclaimer.html
[ reply ]