Re: AV - Full scans or On Access Scans

["Halliday,Paul" <Paul.Halliday () NSCC CA>]

If you are really interested (if you manage any sort of AV), take a peek
at the book "The Art of Computer Virus Research and Defense" by Peter
Szor. In particular chapter 10, part II - Strategies of the Defender and
for the more tech savvy, chapter 7 "Advanced Code Evolution Techniques
and Computer Virus Generator Kits". The latter will likely change the
way you feel about your protection altogether. 

The challenges that the vendors are up against are very interesting and
quite complex.  I wouldn't rely too heavily on their gospel. 

While most of this publication is quite technical, even the casual
reader will glean enough to make a more informed decision with regards
to this topic.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Di Fabio, Andrea
Sent: Thursday, April 10, 2008 4:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] AV - Full scans or On Access Scans

Great thread,

Has anyone talked to AV vendors about offline scanning?  Newest threats
such
as rootkits and VM based malware are getting increasingly difficult to
detect while the OS is running.

I have been asking different AV companies about their plans to implement
offline scanning where a PC would reboot, load a lightweight OS over
PXE,
complete a scan and then reboot from its local disk.  So far, I have
been
unable to spark such interest in the AV companies.

IMHO, automating and scheduling such process is something that AV
companies
should start looking at.  Also, given the fact that more and more
datacenters are deploying VM's as part of consolidation and green
initiatives, a solution that could scan a VM image will also be
beneficial.

Andrea Di Fabio
Information Security Officer
High Performance Computing Technology Coordinator
Norfolk State University
Office of Information Technology
Marie V. McDemmond Center for Applied Research, Rm 401F
555 Park Avenue, Suite 401
Norfolk, Virginia 23504
757-823-2896 Office
757-823-2128 Fax


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
Sent: Thursday, April 10, 2008 2:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] AV - Full scans or On Access Scans

On Wed, 09 Apr 2008 15:58:25 EDT, "David A. Batastini" said:

>                 I'm trying to get the pulse of what other educational 
> institutions are doing when it comes to managing AV scans on 
> endpoints. Do you schedule full system scans or do you rely on the "on

> Access" scans to detect malware? If you run full system scans: how 
> often, and what time are they set to run? If you do not run full 
> system scans,  how do you mitigate the security risk of new malware ( 
> malware that AV did not detect during the initial on access scan)?

"An interesting game - the only way to win is not to play" -- War Games

If merely checking for "Have I been hacked already?" is itself taking
enough
resources to cause problems, perhaps you're starting off with the wrong
computing platform.  There *are* options...

Just sayin'. :)