Focus on Virus
Back to list
RE: Do we still need scheduled scan?
Dec 30 2005 12:26PM
Shaffer, Bruce (security stsgi com)
You can configure scheduled scans for performance: most packages will
allow you to catalogue all of the files on a drive and cache a checksum.
This makes for very quick scanning in that the scanner only has to pass
a file once if the checksum has not changed. Different packages use
different names for this: inoculating, immunizing, all the same thing.
Typically during a thorough scan a file is passed multiple times looking
for different things, using a checksum will verify that the file as not
changed rather than depending on an unreliable archive bit.
You can also schedule the scans for off-hours, and don't scan all files,
only scan those that could possibly execute. It sounds like a good idea
to scan every file, but, why would you want to scan things like TXT
files or proprietary file formats that do not execute? It's kind of
like hunting for elephants at the North Pole.
Another great time saver is to have your users clean up their Internet
cache and dump all the unnecessary off-line content and cookies, that
could save you from scanning thousands of files per machine and shave
considerable time off the job.
These are pretty basic configuration parameters and forgive me if it
sounds like talking down to you. With my years on the support side of
things I learned that no matter how accomplished the tech is on the
other end of the line, you still ask them if the computer is plugged in
to a live circuit when they report a system won't power up. (You'd be
surprised at the number of engineers I've caught on this one:)
Bruce Shaffer, CISSP
From: Robert Sandilands [mailto:rsandilands (at) authentium (dot) com [email concealed]]
Sent: Thursday, December 29, 2005 12:14 PM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: Do we still need scheduled scan?
Real-time scanners should catch all malware that can directly affect
you. But it may decide not to scan that 500 MB zip file for performance
reasons. That file may contain a virus and a scheduled scan will detect
that. But there is no direct way you can be affected by that virus
without extracting the file, at which time the real-time scanner will
Sewell, Cathy wrote:
>>From discussions with the anti-virus vendors during various crises
over the years, I've learned that the real-time scans are optimized for
speed, while the scheduled scans are focused on thoroughness. This
means, disturbingly, that malware can elude the real-time scan, yet be
caught by the more-thorough scheduled scan. Hence the anti-virus
vendors continued recommendations to run weekly scheduled local scans on
>From: Doug Fox [mailto:dfox168 (at) hotmail (dot) com [email concealed]]
>Sent: Wednesday, December 28, 2005 2:28 PM
>To: focus-virus (at) securityfocus (dot) com [email concealed]
>Subject: Do we still need scheduled scan?
>If we have already implemented virus scan at the gateway, on the mail
>server, on individual servers, and real time scan on
>do we still need scheduled, e.g., weekly, scan on workstations and
>as well as servers?
>Schdeuled scans really slow down some machines.
>Any comments are appreciated.
Robert Sandilands: Software Engineer
Authentium: Home of Command Software
[ reply ]
Re: Do we still need scheduled scan?
Jan 12 2006 06:16PM
bkfsec (bkfsec sdf lonestar org)
Copyright 2010, SecurityFocus