Educause Security Discussion mailing list archives
Re: AV - Full scans or On Access Scans
From: "Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>
Date: Thu, 10 Apr 2008 10:25:43 -0400
Interesting points. I was curious how one of our file servers would respond, so I generated an EICAR string in notepad and got to a point to save it in a directory I had access to, loaded up our AV console, turned off auto protect, clicked save in notepad, and turned auto protect back on. I then turned off auto protect on my workstation and attempted to access the file. I got an "Access is denied" on my workstation, and on the console of the server SAV popped up its dialog notifying me a virus had been detected. So this behavior must differ between AV clients. Thanks for that note as we are considering switching our workstation client to another vendor and that is something I will be sure to test. Ps: We are running Symantec Enterprise on the server I tested, so apparently it catches things as they are read off the file system. Matt Matthew Jenkins Network/Server Administrator Fairmont State University 304.367.4955 Visit us online at www.fairmontstate.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen Sent: Thursday, April 10, 2008 9:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] AV - Full scans or On Access Scans
On 4/10/2008 at 9:12 AM, in message
"Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU> wrote:
In theory, the on-access scanner would nab the malware if the malware tried to execute after signatures to detect it were installed.
That's what you would think would happen, but I don't believe that to be true. My understanding is that the on access scan's aren't as thorough as the full system scans for performance reasons. Unfortunately that means if you want to catch everything your AV is capable of catching, you need to be doing full system scans. It's also not necessarily true that file system read/write/directory access will trigger a file scan. I think that will vary by scanner, and even versions of the scanner. On the latest version of our AV software I was fully able to add a virus to the file system without alerting the AV, but not able to execute the virus as the AV detected it at that point. As far as the disadvantage to leaving inactive viruses laying around your file systems, I have a harder time coming up with a good answer here. You might ask questions such as what if the AV becomes disabled at some point in the future? Or, is this a shared drive space where someone, say a home user, might access the file without the benefit of AV software and become infected. Basically, allowing viruses to exist on the file system assumes that anyone who accesses the file system has an active and up to date on access virus scanner. I think full system scans are still a good practice. Not as important as up to date on access scans, but still important. Zach Jansen -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550
Current thread:
- Re: AV - Full scans or On Access Scans, (continued)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 09)
- Re: AV - Full scans or On Access Scans Basgen, Brian (Apr 09)
- Re: AV - Full scans or On Access Scans Charlie Prothero (Apr 09)
- Re: AV - Full scans or On Access Scans Halliday,Paul (Apr 09)
- Re: AV - Full scans or On Access Scans Eric Case (Apr 09)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans Consolvo, Corbett D (Apr 10)
- Re: AV - Full scans or On Access Scans Zach Jansen (Apr 10)
- Re: AV - Full scans or On Access Scans Marc Scarborough (Apr 10)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans Eric Case (Apr 10)
- Re: AV - Full scans or On Access Scans Basgen, Brian (Apr 10)
- Re: AV - Full scans or On Access Scans Valdis Kletnieks (Apr 10)
- Re: AV - Full scans or On Access Scans Di Fabio, Andrea (Apr 10)
- Re: AV - Full scans or On Access Scans Gary Flynn (Apr 10)
- Re: AV - Full scans or On Access Scans Halliday,Paul (Apr 10)
- Re: AV - Full scans or On Access Scans Jimmy Kuo (Apr 10)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans I. W. Woodle (Apr 11)
- Re: AV - Full scans or On Access Scans King, Ronald A. (Apr 11)
(Thread continues...)