Re: AV - Full scans or On Access Scans

["I. W. Woodle" <iwoodle () UTK EDU>]

It has been difficult to implement weekly automatic scans from the
server. We have used several methods to try to overcome the issue of
client system resource utilization during a scan. Our product (mcafee
vscan) gives you the ability to reduce the cpu priority and time used by
the scan. We have gotten away with it by having that set low, in
addition to doing the scan on Wednesday at noon (lunch break), reducing
the files scanned to system and other critical areas and avoiding memory
scans.

Additionally, instead of "hiding" the scan from the user, giving them
the ability to stop the scan in the window reduces the moans but almost
guarantees that the scan will never complete.

Ultimately we must put faith in the on-access scanner and hope that our
users will follow recommendations to do the full scans every week at
their slow times. Otherwise it would require a hard fast policy that
could never meet the needs of the institution and at best be highly
intrusive to day to day business activity.

Another option I have been pondering is using multiple "small" scans
that take place every day to get the whole system once a week. Not sure
that would really work well either.

Good luck.
-Wes

I. W. Woodle (Wes)
University of Tennessee
Antivirus Administrator




In the end, we rely on the on-access scan and the user's scheduled full
scans to protect.

Ken De Cruyenaere wrote:
> On Wed, Apr 09, 2008 at 03:58:25PM -0400, David A. Batastini wrote:
> >    All,
> >
> >                    I'm trying to get the pulse of what other educational
> >    institutions are doing when it comes to managing AV scans on
> >    endpoints. Do you schedule full system scans or do you rely on the "on
> >    Access" scans to detect malware? If you run full system scans: how
> >    often, and what time are they set to run? If you do not run full
> >    system scans,  how do you mitigate the security risk of new malware (
> >    malware that AV did not detect during the initial on access scan)?
> >
> >    As you can probably guess, I'm getting negative feedback on the
> >    intrusive behavior  of our complete system scans. In the past year,
> >    we've cut the frequency in half (from weekly to bi weekly) and
> >    randomized the time to try to lessen the impact. Anyone have any
> >    success stories they're willing to share?
> >
> >
> >    Thanks in advance,
> >
> >    David
>
> Hi
> We request minimum of weekly AV scans.  The day and time is left up
> to the department computer person.  Some choose daily scans.
> Most choose weekly scans at noon on Wednesday.
> The scan settings are controlled from the AV master console.
>
>  Ken