PaulDotCom mailing list archives
AV exclusions and Read vs Write scans
From: xrsolis at gmail.com (Xander Solis)
Date: Thu, 21 Jan 2010 12:20:25 +0800
Francois, Allow me to summarize your inquiries and give my thoughts on it. 1. Improving AV scanner performance by only scanning for writes to disk instead of reads to disk. The problem I see here is for previously undetected malware files. If a previously undetected / non running malware runs, there might be a possibility that the scanner will not detect the malware files that are read to disk. Though AV scanners use in memory scanning, there is a possibility that some drop files being used by malware will be overlooked on the detection process. On scanner performance, some AV scanners allow configurable options to control CPU utilization, you might want to look if your product has it and use a low CPU utilization setting, instead of using minimal configuration settings that may cripple the scanner's capability to detect malware. 2. On scan exclusions This depends on the applications you run on your network. It would be best to be very specific on file paths and files you exclude. It would be best to have an inventory of this as well and exclusions have a valid business case. Hope this helps, My 10 cents, Xander On Thu, Jan 21, 2010 at 6:35 AM, Francois Lachance <digitallachance at gmail.com> wrote:
I am curious to poll the collective intelligence of the pauldotcom.com list members on the subject of anti-virus on servers.? Our data centre has been outsourced and the administrator are proposing to change the settings on our anti-virus to only do scans on write I/O only (no scanning on any Read I/O). There are well known folders and file types that Microsoft recommends to exclude from anti-virus scanning (http://support.microsoft.com/kb/822158 or http://support.microsoft.com/kb/823166 for Exchange 2003).? The administrator were suggesting to exclude the C:\TEMP\ folder from any scans, which I objected to.? That's too obvious of a location to exclude from scrutiny. So my question to you all is do you have a best practice that you follow when dealing with anti-virus on your servers? Any thoughts? Thanks, Francois _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- AV exclusions and Read vs Write scans Francois Lachance (Jan 20)
- AV exclusions and Read vs Write scans Xander Solis (Jan 20)
- AV exclusions and Read vs Write scans Aa'ed Alqarta (Jan 20)