Educause Security Discussion mailing list archives
Re: AV - Full scans or On Access Scans
From: "Halliday,Paul" <Paul.Halliday () NSCC CA>
Date: Thu, 10 Apr 2008 19:12:40 -0300
If you are really interested (if you manage any sort of AV), take a peek at the book "The Art of Computer Virus Research and Defense" by Peter Szor. In particular chapter 10, part II - Strategies of the Defender and for the more tech savvy, chapter 7 "Advanced Code Evolution Techniques and Computer Virus Generator Kits". The latter will likely change the way you feel about your protection altogether. The challenges that the vendors are up against are very interesting and quite complex. I wouldn't rely too heavily on their gospel. While most of this publication is quite technical, even the casual reader will glean enough to make a more informed decision with regards to this topic. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Di Fabio, Andrea Sent: Thursday, April 10, 2008 4:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] AV - Full scans or On Access Scans Great thread, Has anyone talked to AV vendors about offline scanning? Newest threats such as rootkits and VM based malware are getting increasingly difficult to detect while the OS is running. I have been asking different AV companies about their plans to implement offline scanning where a PC would reboot, load a lightweight OS over PXE, complete a scan and then reboot from its local disk. So far, I have been unable to spark such interest in the AV companies. IMHO, automating and scheduling such process is something that AV companies should start looking at. Also, given the fact that more and more datacenters are deploying VM's as part of consolidation and green initiatives, a solution that could scan a VM image will also be beneficial. Andrea Di Fabio Information Security Officer High Performance Computing Technology Coordinator Norfolk State University Office of Information Technology Marie V. McDemmond Center for Applied Research, Rm 401F 555 Park Avenue, Suite 401 Norfolk, Virginia 23504 757-823-2896 Office 757-823-2128 Fax -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Thursday, April 10, 2008 2:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] AV - Full scans or On Access Scans On Wed, 09 Apr 2008 15:58:25 EDT, "David A. Batastini" said:
I'm trying to get the pulse of what other educational institutions are doing when it comes to managing AV scans on endpoints. Do you schedule full system scans or do you rely on the "on
Access" scans to detect malware? If you run full system scans: how often, and what time are they set to run? If you do not run full system scans, how do you mitigate the security risk of new malware ( malware that AV did not detect during the initial on access scan)?
"An interesting game - the only way to win is not to play" -- War Games If merely checking for "Have I been hacked already?" is itself taking enough resources to cause problems, perhaps you're starting off with the wrong computing platform. There *are* options... Just sayin'. :)
Current thread:
- Re: AV - Full scans or On Access Scans, (continued)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans Consolvo, Corbett D (Apr 10)
- Re: AV - Full scans or On Access Scans Zach Jansen (Apr 10)
- Re: AV - Full scans or On Access Scans Marc Scarborough (Apr 10)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans Eric Case (Apr 10)
- Re: AV - Full scans or On Access Scans Basgen, Brian (Apr 10)
- Re: AV - Full scans or On Access Scans Valdis Kletnieks (Apr 10)
- Re: AV - Full scans or On Access Scans Di Fabio, Andrea (Apr 10)
- Re: AV - Full scans or On Access Scans Gary Flynn (Apr 10)
- Re: AV - Full scans or On Access Scans Halliday,Paul (Apr 10)
- Re: AV - Full scans or On Access Scans Jimmy Kuo (Apr 10)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans I. W. Woodle (Apr 11)
- Re: AV - Full scans or On Access Scans King, Ronald A. (Apr 11)
- Re: AV - Full scans or On Access Scans Koerber, Jeff (Apr 17)