Educause Security Discussion mailing list archives

Re: AV - Full scans or On Access Scans

From: "Koerber, Jeff" <jkoerber () TOWSON EDU>
Date: Thu, 17 Apr 2008 10:07:01 -0400

If you wanted to make the green folks happy, you could set the BIOS on each computer to turn it on at 2am, do 
updates/scans/maintenance/etc. and then shut down or hibernate.  I'm testing this out on a few machines now and it 
seems to work well (although I don't currently do a fully AV scan).

Jeff Koerber
Supervisor, Student Service Desk & Lab Support
Office of Technology Services
Towson University
Towson, MD


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Marc 
Scarborough
Sent: Thursday, April 10, 2008 10:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] AV - Full scans or On Access Scans

Part of the problem with this is that many pieces of malware are installed as services.  These services can (and do) 
start before the AV services.  So even an up-to-date access-based scan will miss these.

We're facing the same struggle with regards to the "how" and "when" to try full scans.  The after hours stuff is hard 
to make successful, especially with the "green" groups advising everyone to turn off their systems at night.  No 
offense to any green groups. :-)

What we're trying is to schedule 2am scans every day and to encourage people to leave their machines on at least one 
night a week.

Marc

________________________________

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, 
Matthew
Sent: Thursday, April 10, 2008 8:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] AV - Full scans or On Access Scans



In theory, the on-access scanner would nab the malware if the malware tried to execute after signatures to detect it 
were installed.



Hence, a full system scan shouldn't be necessary, because the on-access scanner should detect all 
malware/virus/Trojan/malicious code before it executes.  Most on-access scanners scan things as they are read/wrote 
from/to the file system, so even if someone tried to copy a virus it should be caught.  We see this a lot on our FTP 
server where students will upload infected Word documents and the on-access scanner will immediately quarantine the 
file.



If the AV engine is shutdown or the signatures are out of date due to a Trojan-type piece of code, the enterprise 
console or a NAC should catch this and report back.  This would catch any attacks where either the code was executed 
during a time when no signatures were available to catch it or the on-access scanner was disabled for administrative 
purposes (i.e. software installation).  If the on-access scanner was not compromised and the signatures were updated 
after the malicious piece of code was installed, the AV software should catch the malware in memory with a 'quick scan'.



However, because that's all theory, I don't trust on-access scans enough to not do (or want to do) a full system scan 
of all hosts.  I am curious if anyone else has thoughts on that.  Does a full system scan really buy us anything, other 
than sleep at night (a highly valued commodity)?  Just a thought.



Matt



Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu <http://www.fairmontstate.edu/>



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Charlie 
Prothero
Sent: Wednesday, April 09, 2008 9:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] AV - Full scans or On Access Scans



We had the same problem at Keystone College.  Theoretical question here: Say a piece of malware gets onto a machine 
before your AV software has a signature for it.    The AV software is subsequently updated to detect that malware.  If 
the malware had managed to install itself, it's gone on the next reboot.  Otherwise, it's just sitting on the drive, 
undetected because it isn't referenced.  If it was, the AV software would nab it.  Obviously, it's not *desirable* to 
be storing a virus collection, but how much of a problem would it be, provided the AV on-access scanner is active?

Current thread:

Re: AV - Full scans or On Access Scans, (continued)
- Re: AV - Full scans or On Access Scans Eric Case (Apr 10)
- Re: AV - Full scans or On Access Scans Basgen, Brian (Apr 10)
- Re: AV - Full scans or On Access Scans Valdis Kletnieks (Apr 10)
- Re: AV - Full scans or On Access Scans Di Fabio, Andrea (Apr 10)
- Re: AV - Full scans or On Access Scans Gary Flynn (Apr 10)
- Re: AV - Full scans or On Access Scans Halliday,Paul (Apr 10)
- Re: AV - Full scans or On Access Scans Jimmy Kuo (Apr 10)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans I. W. Woodle (Apr 11)
- Re: AV - Full scans or On Access Scans King, Ronald A. (Apr 11)
- Re: AV - Full scans or On Access Scans Koerber, Jeff (Apr 17)