Hi Robert -
We have had situations where the real-time scan was not catching malware that
the scheduled scan was catching, and the files weren't large zip files. I
agree with you that these malware files were not "of immediate effect", and, of
course, though it's happened twice, the situation was unusual. But it does
happen, and beyond your example of a large zip file. For us, of course, this
resulted in ensuing discussions with our anti-virus vendors, who confirmed that
the "real-time" products might not catch malware that our regular scheduled
scans (same product; same engine; same definitions file) would catch due to the
prioritization necessary for speediest real-time scan performance, especially
on a desktop. I think we may be saying the same thing. None the less, all
major vendors recommend scheduled scans in addition to real-time scanners.
Going with your argument to rely on real-time scans, those "embedded" malware
files, ignored by the real-time scan, would then be stored on your systems. It
does happen that real-time scanners are sometimes either accidentally or
purposely turned off. Perhaps the real-time scanning service unexpectedly
didn't start on the mail server because of a patch or a startup conflict.
Perhaps a user turned off their desktop real-time scanner because it interfered
with a software install, or because it was causing a performance impact while
they were crunching a complicated computation. Then there is the otherwise
intelligent users who naively report "I turn it off because I'm protected
behind the company firewall." Even the savviest user could forget to turn the
real-time scanner back on before opening other files. Those computers are
vulnerable to the now lurking "embedded" malware files, with no protective
real-time scan barrier. The user just has to touch the file...
Real time scanning is very important, certainly a powerful and favorite tool.
Yet relying solely on real-time scanning is inadequate. It is worthwhile to
run regular scheduled scans, in addition to real-time scans. Layers of
defense...
- CSewell
-----Original Message-----
From: Robert Sandilands [mailto:rsandilands@authentium.com]
Sent: Thursday, December 29, 2005 9:14 AM
To: focus-virus@securityfocus.com
Subject: Re: Do we still need scheduled scan?
Hi Cathy,
Real-time scanners should catch all malware that can directly affect
you. But it may decide not to scan that 500 MB zip file for performance
reasons. That file may contain a virus and a scheduled scan will detect
that. But there is no direct way you can be affected by that virus
without extracting the file, at which time the real-time scanner will
protect you.
Robert Sandilands
Sewell, Cathy wrote:
From discussions with the anti-virus vendors during various crises over the
years, I've learned that the real-time scans are optimized for speed, while
the scheduled scans are focused on thoroughness. This means, disturbingly,
that malware can elude the real-time scan, yet be caught by the more-thorough
scheduled scan. Hence the anti-virus vendors continued recommendations to
run weekly scheduled local scans on all computers.
- CSewell
-----Original Message-----
From: Doug Fox [mailto:dfox168@hotmail.com]
Sent: Wednesday, December 28, 2005 2:28 PM
To: focus-virus@securityfocus.com
Subject: Do we still need scheduled scan?
If we have already implemented virus scan at the gateway, on the mail
server, on individual servers, and real time scan on workstations/laptops,
do we still need scheduled, e.g., weekly, scan on workstations and laptops
as well as servers?
Schdeuled scans really slow down some machines.
Any comments are appreciated.
Thanks,
Doug
--
---------------------------------------------------------------------
Robert Sandilands: Software Engineer
Disclaimer: http://robert.rsa3.com/disclaimer.html
Authentium: Home of Command Software
www.authentium.com
