Educause Security Discussion mailing list archives

Re: AV - Full scans or On Access Scans

From: "Halliday,Paul" <Paul.Halliday () NSCC CA>
Date: Wed, 9 Apr 2008 22:32:07 -0300

You should be doing full system scans daily. It is an entirely different
process and far more thorough than on-access scanning. (This is what I
tell my boss anyway so that he can sleep at night)

 

OAS's are very good at defending against *known* Viruses. However, when
confronted with an advanced poly/metamorphic virus or even something
with some strange encryption (rot13 J) they can fail. Heuristics, VM's,
decryption and the more advanced scanning techniques are expensive
(resource wise) and the OAS needs to be lightning fast.

 

You can't have the best of both worlds. If you aren't doing full system
scans you are missing out on some of the more advanced features of your
scanning software. 

 

That said, you still aren't as safe as you think.

 

Full system scans are only really useful for targeted Malware - the slow
stuff. Even with that, they do miss quite a bit. There is so much crap
out there that on any given day I can run samples that I see on our
network through services like VirusTotal and get a wake up when 40% of
the scanners deem the offending code as safe.

 

Bottom line, If anything particularly virulent makes it past your OAS,
and you have no other checks in place (IDS/IPS/some form of NSM) you are
pretty much screwed.

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David A. Batastini
Sent: Wednesday, April 09, 2008 4:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] AV - Full scans or On Access Scans

 

All,

                I'm trying to get the pulse of what other educational
institutions are doing when it comes to managing AV scans on endpoints.
Do you schedule full system scans or do you rely on the "on Access"
scans to detect malware? If you run full system scans: how often, and
what time are they set to run? If you do not run full system scans,  how
do you mitigate the security risk of new malware ( malware that AV did
not detect during the initial on access scan)? 

As you can probably guess, I'm getting negative feedback on the
intrusive behavior  of our complete system scans. In the past year,
we've cut the frequency in half (from weekly to bi weekly) and
randomized the time to try to lessen the impact. Anyone have any success
stories they're willing to share?

 

Thanks in advance,

David

 

-- 

David Batastini, GCIH

University of Rhode Island

Information Security 

 

DavidB<at>uri.edu

015 Tyler Hall

p. (401) 874-2663

c. (401) 265-5515

f. (401) 874-7004

Current thread:

AV - Full scans or On Access Scans David A. Batastini (Apr 09)
- <Possible follow-ups>
- Re: AV - Full scans or On Access Scans Ken De Cruyenaere (Apr 09)
- Re: AV - Full scans or On Access Scans I. W. Woodle (Apr 09)
- Re: AV - Full scans or On Access Scans Mike Hanson (Apr 09)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 09)
- Re: AV - Full scans or On Access Scans Basgen, Brian (Apr 09)
- Re: AV - Full scans or On Access Scans Charlie Prothero (Apr 09)
- Re: AV - Full scans or On Access Scans Halliday,Paul (Apr 09)
- Re: AV - Full scans or On Access Scans Eric Case (Apr 09)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans Consolvo, Corbett D (Apr 10)
- Re: AV - Full scans or On Access Scans Zach Jansen (Apr 10)
- Re: AV - Full scans or On Access Scans Marc Scarborough (Apr 10)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans Eric Case (Apr 10)
- Re: AV - Full scans or On Access Scans Basgen, Brian (Apr 10)
- Re: AV - Full scans or On Access Scans Valdis Kletnieks (Apr 10)

(Thread continues...)