Re: AV - Full scans or On Access Scans

["Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>]

Interesting points.  I was curious how one of our file servers would
respond, so I generated an EICAR string in notepad and got to a point to
save it in a directory I had access to, loaded up our AV console, turned
off auto protect, clicked save in notepad, and turned auto protect back
on.

I then turned off auto protect on my workstation and attempted to access
the file.  I got an "Access is denied" on my workstation, and on the
console of the server SAV popped up its dialog notifying me a virus had
been detected.  So this behavior must differ between AV clients.  Thanks
for that note as we are considering switching our workstation client to
another vendor and that is something I will be sure to test.

Ps:  We are running Symantec Enterprise on the server I tested, so
apparently it catches things as they are read off the file system.

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen
Sent: Thursday, April 10, 2008 9:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] AV - Full scans or On Access Scans

> > > On 4/10/2008 at 9:12 AM, in message
"Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU> wrote:
> In theory, the on-access scanner would nab the malware if the malware
> tried to execute after signatures to detect it were installed.

That's what you would think would happen, but I don't believe that to be
true. My understanding is that the on access scan's aren't as thorough
as the full system scans for performance reasons. Unfortunately that
means if you want to catch everything your AV is capable of catching,
you need to be doing full system scans. It's also not necessarily true
that file system read/write/directory access will trigger a file scan. I
think that will vary by scanner, and even versions of the scanner. On
the latest version of our AV software I was fully able to add a virus to
the file system without alerting the AV, but not able to execute the
virus as the AV detected it at that point. 

As far as the disadvantage to leaving inactive viruses laying around
your file systems, I have a harder time coming up with a good answer
here. You might ask questions such as what if the AV becomes disabled at
some point in the future? Or, is this a shared drive space where
someone, say a home user, might access the file without the benefit of
AV software and become infected. Basically, allowing viruses to exist on
the file system assumes that anyone who accesses the file system has an
active and up to date on access virus scanner. 

I think full system scans are still a good practice. Not as important as
up to date on access scans, but still important. 

Zach Jansen


-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550