Re: AV - Full scans or On Access Scans

[Jimmy Kuo <cjkuo () VERIZON NET>]

Offline scanning should only be done on an on-demand basis.  Someone at the
machine must OK the action.

One does not do a 2 o'clock reboot of a machine to be yelled at that a
document they were working on was not saved, or that it was saved and
overwrote the valid manuscript when it was not meant to be.

So, then it becomes a management nightmare to have to go around to each
machine to validate/OK the reboot.

Jimmy

----- Original Message -----
From: "Di Fabio, Andrea" <adifabio () NSU EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Thursday, April 10, 2008 12:38 PM
Subject: Re: [SECURITY] AV - Full scans or On Access Scans


> Great thread,
>
> Has anyone talked to AV vendors about offline scanning?  Newest threats
> such
> as rootkits and VM based malware are getting increasingly difficult to
> detect while the OS is running.
>
> I have been asking different AV companies about their plans to implement
> offline scanning where a PC would reboot, load a lightweight OS over PXE,
> complete a scan and then reboot from its local disk.  So far, I have been
> unable to spark such interest in the AV companies.
>
> IMHO, automating and scheduling such process is something that AV
> companies
> should start looking at.  Also, given the fact that more and more
> datacenters are deploying VM's as part of consolidation and green
> initiatives, a solution that could scan a VM image will also be
> beneficial.
>
> Andrea Di Fabio
> Information Security Officer
> High Performance Computing Technology Coordinator
> Norfolk State University
> Office of Information Technology
> Marie V. McDemmond Center for Applied Research, Rm 401F
> 555 Park Avenue, Suite 401
> Norfolk, Virginia 23504
> 757-823-2896 Office
> 757-823-2128 Fax
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
> Sent: Thursday, April 10, 2008 2:51 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] AV - Full scans or On Access Scans
>
> On Wed, 09 Apr 2008 15:58:25 EDT, "David A. Batastini" said:
>
> >                 I'm trying to get the pulse of what other educational
> > institutions are doing when it comes to managing AV scans on
> > endpoints. Do you schedule full system scans or do you rely on the "on
> > Access" scans to detect malware? If you run full system scans: how
> > often, and what time are they set to run? If you do not run full
> > system scans,  how do you mitigate the security risk of new malware (
> > malware that AV did not detect during the initial on access scan)?
>
> "An interesting game - the only way to win is not to play" -- War Games
>
> If merely checking for "Have I been hacked already?" is itself taking
> enough
> resources to cause problems, perhaps you're starting off with the wrong
> computing platform.  There *are* options...
>
> Just sayin'. :)