Re: AV - Full scans or On Access Scans

["Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>]

What if a machine could be hibernated, restarted with the lightweight
OS, scanned, and then brought back out of hibernate mode.  I suppose you
would still have to worry about network and/or computing activity being
interrupted during that time, especially for servers.

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jimmy Kuo
Sent: Thursday, April 10, 2008 6:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] AV - Full scans or On Access Scans

Offline scanning should only be done on an on-demand basis.  Someone at
the 
machine must OK the action.

One does not do a 2 o'clock reboot of a machine to be yelled at that a 
document they were working on was not saved, or that it was saved and 
overwrote the valid manuscript when it was not meant to be.

So, then it becomes a management nightmare to have to go around to each 
machine to validate/OK the reboot.

Jimmy

----- Original Message ----- 
From: "Di Fabio, Andrea" <adifabio () NSU EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Thursday, April 10, 2008 12:38 PM
Subject: Re: [SECURITY] AV - Full scans or On Access Scans


> Great thread,
>
> Has anyone talked to AV vendors about offline scanning?  Newest
threats 
> such
> as rootkits and VM based malware are getting increasingly difficult to
> detect while the OS is running.
>
> I have been asking different AV companies about their plans to
implement
> offline scanning where a PC would reboot, load a lightweight OS over
PXE,
> complete a scan and then reboot from its local disk.  So far, I have
been
> unable to spark such interest in the AV companies.
>
> IMHO, automating and scheduling such process is something that AV 
> companies
> should start looking at.  Also, given the fact that more and more
> datacenters are deploying VM's as part of consolidation and green
> initiatives, a solution that could scan a VM image will also be 
> beneficial.
>
> Andrea Di Fabio
> Information Security Officer
> High Performance Computing Technology Coordinator
> Norfolk State University
> Office of Information Technology
> Marie V. McDemmond Center for Applied Research, Rm 401F
> 555 Park Avenue, Suite 401
> Norfolk, Virginia 23504
> 757-823-2896 Office
> 757-823-2128 Fax
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
> Sent: Thursday, April 10, 2008 2:51 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] AV - Full scans or On Access Scans
>
> On Wed, 09 Apr 2008 15:58:25 EDT, "David A. Batastini" said:
>
> >                 I'm trying to get the pulse of what other educational
> > institutions are doing when it comes to managing AV scans on
> > endpoints. Do you schedule full system scans or do you rely on the
"on
> > Access" scans to detect malware? If you run full system scans: how
> > often, and what time are they set to run? If you do not run full
> > system scans,  how do you mitigate the security risk of new malware (
> > malware that AV did not detect during the initial on access scan)?
>
> "An interesting game - the only way to win is not to play" -- War
Games
> If merely checking for "Have I been hacked already?" is itself taking 
> enough
> resources to cause problems, perhaps you're starting off with the
wrong
> computing platform.  There *are* options...
>
> Just sayin'. :)