> is there *ever* a time when the combination of schedule/on-access scanning
offers greater
> (physical) security than on-access alone?

> The answer is, almost always, no.

There most certainly is. When I download Agent-Y infected File-X, and my
A/V definitions are current, but the definitions lack a signature for
Agent-Y,
I become infected by Agent-Y. I get a new update in a day or two, and
Agent-Y is detected and hopefully removed from memory by the real-time scan
engine.
WONDERFUL! As an ID-10-T, or average user, I consider my system to be clean
as a whistle. So I go about my business. Now, Agent-Y is still sitting on
my system, and won't be detected until I open or manipulate File-X, or one
of the many files that it has infected.

When I open File-X, my real-time scanner goes off like the little old canary
in the coal mine that it is. It eliminates the symptom, not the cause. "I
wonder why these IT folks can't get their crap together and just FIX these
virus issues. That's the 10th time today that I've seen an alert! What are
we paying them for? And why are we paying for anti-virus software if it
can't even stop these things from happening?" Perception is reality, after
all.

Of course, I have already copied that ever so useful File-X to my home
computer where I am not as diligent as those annoying IT people at work. I
merrily go about infecting others with Agent-Y.

If you never scan for infections that have slipped through while you are
waiting for a signature, you have given up INTEGRITY. Does Sophos intend to
set the security tripod up on 2 legs? All things being equal, I will take
defense-in-depth and root-cause elimination.

Mark

-----Original Message-----
From: kyle.moffitt (at) sophos (dot) com [email concealed] [mailto:kyle.moffitt (at) sophos (dot) com [email concealed]]
Sent: Friday, December 30, 2005 12:04 PM
To: mark_brunner (at) hotmail (dot) com [email concealed]
Cc: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: Do we still need scheduled scan?

From what I gather, the germane question here is: all things being equal
(i.e. up-to-date and accurate detection is available), is there *ever* a
time when the combination of schedule/on-access scanning offers greater
(physical) security than on-access alone?

The answer is, almost always, no. Why?

1. If AV is not up-to-date to detect particular malware, no amount of
scanning will find it.
2. If AV is up-to-date, and configured to scan upon write, malware is
detected at the moment of being written to disk.
3. If AV is up-to-date, and configured to scan on-access, malware is
detected at the moment of being read.
4. If AV is up-to-date, and configured to scan on-access, dormant malware
is not harmful and cannot propagate without being read
5. If gateway AV is up-to-date, and configured to scan within archive
files, even a file excluded at the endpoint will be detected before leaving
the domain.

When is on-access scanning alone not enough? Only in the event when,
before accurate detection is available, you become infected with malware
specifically designed to affect system-critical files (i.e. those files
which boot up before the AV scanner). In this case, scheduling a scan with
updated detection will discover the malware when on-access scanning could
not.

This a valid concern, but how often has that particular type of malware
been discovered? Very, very rarely. Could it happen again? Absolutely.
Is it likely, given the shift towards "stealthy" malware design strategy
previously mentioned? Probably not. Why? Because infecting
system-critical files is typically not a particularly effective way to make
money (the overwhelming intent of most malware today) without being easily
noticed.

[This particular risk, independent of specific malware, intent, or
detection, is directly proportional to the frequency of AV updating.]

Now, perhaps the point of all this: all things being ~equal, is there
*ever* a time when the combination of schedule/on-access scanning consumes
less system overhead (and thus, some measure of business capacity) than
on-access scanning alone?

The answer is, unequivocally, no.

Does that mean you should never schedule scans? No, but if you want to
significantly increase your ROA with only an *exceedingly* minimal increase
in risk (based on the previous 20+ years of malware creation), on-access
scanning is sufficient. At the very least, scheduld scans should only be
done when you are absolutely certain it will cause minimal disruption to
the business (a much more probable and costly risk than not scheduling
scans).

Again, AV vendors determine their own best practices based on the
reliability of their software, and they know that reliabiltiy better than
anyone else. If your AV vendor advises you to schedule scans every day,
there's probably a good reason why.

Kyle Moffitt
Sophos, Inc.

"Mark Brunner"
<mark_brunner@hot
mail.com> To
<focus-virus (at) securityfocus (dot) com [email concealed]>
12/29/2005 05:09 cc
PM
Subject
RE: Do we still need scheduled
Please respond to scan?
<mark_brunner@hot
mail.com>

This doesn't really consider "downstream liability", passing the unscanned
file to others who may not be A/V protected. Your real-time scanner didn't
scan the file, you have not opened the file for scanning to occur, and it
sits on your system for whatever reason, unscanned. Yes, your customer,
friend or business associate may have chosen to rely on gateway scanning
only or not to protect themselves from the threat of viruses due to
complacency or ignorance. Do you want to be the vector of infection? How
does that look for your own and your company's reputation? Have you
practiced due diligence?

There is a definite and increasing threat from malware. It has been so for
many years, and will likely continue to be so for many more. It is not the
only threat, but it is credible and prolific. I would recommend that this
is probably not the time to reduce your efforts to protect your assets, or
the assets of your friends, colleagues and business associates. Accept
that
scanning will introduce some short term pain, schedule your pain for a
"convenient" time, but accept the pain. The alternative is SO much more
painful.

I perform a light scan on my home system daily, do a weekly full scan with
full heuristics, and have real-time scanning enabled. I investigate every
instance of a possible infection reported by the heuristics engine and
tweak
it accordingly. My scanner meshes with my email client to scan in and
outbound email. It also integrates with my personal firewall and IDS
system
to report any unauthorized SMTP enabled applications that may attempt to
send email, or forward something nasty to me. It isn't fort knox, but it
provides a level of security in-depth that makes me reasonably comfortable.
In the coming months, I will be adding further levels of security to my
home
network, replacing out of date firewall devices and adding further
reporting
mechanisms. Not just because I enjoy tinkering, and desire to learn more
and more about security, but also because there is a clear and present
danger on the wire. My online information, although generally not
"personal", is important and valuable to me, even if it is of little use to
others.

Mark

-----Original Message-----
From: Robert Sandilands [mailto:rsandilands (at) authentium (dot) com [email concealed]]
Sent: Thursday, December 29, 2005 12:14 PM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: Do we still need scheduled scan?

Hi Cathy,

Real-time scanners should catch all malware that can directly affect
you. But it may decide not to scan that 500 MB zip file for performance
reasons. That file may contain a virus and a scheduled scan will detect
that. But there is no direct way you can be affected by that virus
without extracting the file, at which time the real-time scanner will
protect you.

Robert Sandilands

Sewell, Cathy wrote:

>>From discussions with the anti-virus vendors during various crises over
the years, I've learned that the real-time scans are optimized for speed,
while the scheduled scans are focused on thoroughness. This means,
disturbingly, that malware can elude the real-time scan, yet be caught by
the more-thorough scheduled scan. Hence the anti-virus vendors continued
recommendations to run weekly scheduled local scans on all computers.
>
>- CSewell
>
>-----Original Message-----
>From: Doug Fox [mailto:dfox168 (at) hotmail (dot) com [email concealed]]
>Sent: Wednesday, December 28, 2005 2:28 PM
>To: focus-virus (at) securityfocus (dot) com [email concealed]
>Subject: Do we still need scheduled scan?
>
>If we have already implemented virus scan at the gateway, on the mail
>server, on individual servers, and real time scan on workstations/laptops,
>do we still need scheduled, e.g., weekly, scan on workstations and laptops
>as well as servers?
>
>Schdeuled scans really slow down some machines.
>
>Any comments are appreciated.
>
>Thanks,
>
>Doug
>
>
>

--
---------------------------------------------------------------------
Robert Sandilands: Software Engineer
Disclaimer: http://robert.rsa3.com/disclaimer.html
Authentium: Home of Command Software
www.authentium.com

--
Kyle Moffitt
Senior Account Executive, Sophos

Tel: 781 973 0110
Web: www.sophos.com
Sophos - integrated threat management

[ reply ]