-----Original Message-----
From: kyle.moffitt@sophos.com [mailto:kyle.moffitt@sophos.com]
Sent: Thursday, December 29, 2005 10:35 AM
To: Bruce Martins
Cc: dfox168@hotmail.com; focus-virus@securityfocus.com
Subject: Re: Do we still need scheduled scan?
This approach presumes updates are infrequent (> 1hr apart),
and/or innacurate or expensive proactive detection is
employed. The cost/benefit of relying on on-access scanning
(esp. for client machines) vs. costly and redundant scheduled
scanning is almost always in the end user's favor.
FYI, best practices differ based on the engineering of AV
software, and a particular vendor's global response
capability to emerging threats.
Suffice to say, no two AV are alike.
Kyle Moffitt
Sophos, Inc.
This has not been my experience with McAfee. Every once in awhile, the
updates fail (for reasons no log has cared to comment on) and when they
work (which granted, is most of the time), they take a while (an hour or
two on average) to propragate to all the machines (we have less than 40)
and it's not always someone's desktop which they left off for lunch,
it's servers running 24/7.
Someone mentioned the real-time throttling for McAfee but I have not
seen it on VirusScan and GroupShield (latest versions), at least not in
the Policy Manager. It does offer quite a bit of flexibility in how the
On-Access scan can be configured, and I've spent a good deal of time in
there making sure our servers aren't DoSed by our AV.
I do a nightly scan of every workstation and server (that is, if the
Policy manager hasn't mysteriously blown away my scheduled tasks again)
because the risk of performance loss is much less than the risk of a
virus slipping through and hosing the network. I do it at off-peak hours
but before the nightly backups.
Derick Anderson
