Educause Security Discussion mailing list archives

Re: AV - Full scans or On Access Scans

From: "Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>
Date: Thu, 10 Apr 2008 09:12:31 -0400

In theory, the on-access scanner would nab the malware if the malware
tried to execute after signatures to detect it were installed.

 

Hence, a full system scan shouldn't be necessary, because the on-access
scanner should detect all malware/virus/Trojan/malicious code before it
executes.  Most on-access scanners scan things as they are read/wrote
from/to the file system, so even if someone tried to copy a virus it
should be caught.  We see this a lot on our FTP server where students
will upload infected Word documents and the on-access scanner will
immediately quarantine the file.

 

If the AV engine is shutdown or the signatures are out of date due to a
Trojan-type piece of code, the enterprise console or a NAC should catch
this and report back.  This would catch any attacks where either the
code was executed during a time when no signatures were available to
catch it or the on-access scanner was disabled for administrative
purposes (i.e. software installation).  If the on-access scanner was not
compromised and the signatures were updated after the malicious piece of
code was installed, the AV software should catch the malware in memory
with a 'quick scan'.

 

However, because that's all theory, I don't trust on-access scans enough
to not do (or want to do) a full system scan of all hosts.  I am curious
if anyone else has thoughts on that.  Does a full system scan really buy
us anything, other than sleep at night (a highly valued commodity)?
Just a thought.

 

Matt

 

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu <http://www.fairmontstate.edu/>


 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Charlie Prothero
Sent: Wednesday, April 09, 2008 9:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] AV - Full scans or On Access Scans

 

We had the same problem at Keystone College.  Theoretical question here:
Say a piece of malware gets onto a machine before your AV software has a
signature for it.    The AV software is subsequently updated to detect
that malware.  If the malware had managed to install itself, it's gone
on the next reboot.  Otherwise, it's just sitting on the drive,
undetected because it isn't referenced.  If it was, the AV software
would nab it.  Obviously, it's not *desirable* to be storing a virus
collection, but how much of a problem would it be, provided the AV
on-access scanner is active?

Current thread:

AV - Full scans or On Access Scans David A. Batastini (Apr 09)
- <Possible follow-ups>
- Re: AV - Full scans or On Access Scans Ken De Cruyenaere (Apr 09)
- Re: AV - Full scans or On Access Scans I. W. Woodle (Apr 09)
- Re: AV - Full scans or On Access Scans Mike Hanson (Apr 09)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 09)
- Re: AV - Full scans or On Access Scans Basgen, Brian (Apr 09)
- Re: AV - Full scans or On Access Scans Charlie Prothero (Apr 09)
- Re: AV - Full scans or On Access Scans Halliday,Paul (Apr 09)
- Re: AV - Full scans or On Access Scans Eric Case (Apr 09)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans Consolvo, Corbett D (Apr 10)
- Re: AV - Full scans or On Access Scans Zach Jansen (Apr 10)
- Re: AV - Full scans or On Access Scans Marc Scarborough (Apr 10)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans Eric Case (Apr 10)
- Re: AV - Full scans or On Access Scans Basgen, Brian (Apr 10)
- Re: AV - Full scans or On Access Scans Valdis Kletnieks (Apr 10)
- Re: AV - Full scans or On Access Scans Di Fabio, Andrea (Apr 10)
- Re: AV - Full scans or On Access Scans Gary Flynn (Apr 10)

(Thread continues...)