PaulDotCom mailing list archives

AV exclusions and Read vs Write scans

From: xrsolis at gmail.com (Xander Solis)
Date: Thu, 21 Jan 2010 12:20:25 +0800

Francois,

Allow me to summarize your inquiries and give my thoughts on it.

1. Improving AV scanner performance by only scanning for writes to
disk instead of reads to disk.

The problem I see here is for previously undetected malware files. If
a previously undetected / non running malware runs, there might be a
possibility that the scanner will not detect the malware files that
are read to disk. Though AV scanners use in memory scanning, there is
a possibility that some drop files being used by malware will be
overlooked on the detection process.

On scanner performance, some AV scanners allow configurable options to
control CPU utilization, you might want to look if your product has it
and use a low CPU utilization setting, instead of using minimal
configuration settings that may cripple the scanner's capability to
detect malware.

2. On scan exclusions

This depends on the applications you run on your network. It would be
best to be very specific on file paths and files you exclude. It would
be best to have an inventory of this as well and exclusions have a
valid business case.

Hope this helps,

My 10 cents,

Xander

On Thu, Jan 21, 2010 at 6:35 AM, Francois Lachance
<digitallachance at gmail.com> wrote:

I am curious to poll the collective intelligence of the pauldotcom.com list
members on the subject of anti-virus on servers.? Our data centre has been
outsourced and the administrator are proposing to change the settings on our
anti-virus to only do scans on write I/O only (no scanning on any Read I/O).

There are well known folders and file types that Microsoft recommends to
exclude from anti-virus scanning (http://support.microsoft.com/kb/822158 or
http://support.microsoft.com/kb/823166 for Exchange 2003).? The
administrator were suggesting to exclude the C:\TEMP\ folder from any scans,
which I objected to.? That's too obvious of a location to exclude from
scrutiny.

So my question to you all is do you have a best practice that you follow
when dealing with anti-virus on your servers?

Any thoughts?

Thanks,

Francois

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

AV exclusions and Read vs Write scans Francois Lachance (Jan 20)
- AV exclusions and Read vs Write scans Xander Solis (Jan 20)
- AV exclusions and Read vs Write scans Aa'ed Alqarta (Jan 20)