Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Do we still need scheduled scan?

from [Robert Sandilands] Network Security [Permanent Link]
Subject: Re: Do we still need scheduled scan?
Date: Thu, 29 Dec 2005 21:42:56 -0500 
Hi Cathy,

I am the last person to say that you should only have real-time scanning. That would not be wise, but I wanted to introduce some information into a discussion which seems to have gone the way of discounting the value of real-time scanning.

I would also add intrusion detection/prevention, firewalls and gateway scanners and proxies to the list of security policies to consider.

In the end it is all about what is an acceptable level of security for you and how to get to that level while maintaining an usable network/desktop.

Robert Sandilands

Sewell, Cathy wrote:

Hi Robert -

We have had situations where the real-time scan was not catching malware that the scheduled scan 
was catching, and the files weren't large zip files.  I agree with you that these malware files 
were not "of immediate effect", and, of course, though it's happened twice, the situation 
was unusual.  But it does happen, and beyond your example of a large zip file.  For us, of course, 
this resulted in ensuing discussions with our anti-virus vendors, who confirmed that the 
"real-time" products might not catch malware that our regular scheduled scans (same 
product; same engine; same definitions file) would catch due to the prioritization necessary for 
speediest real-time scan performance, especially on a desktop.  I think we may be saying the same 
thing.  None the less, all major vendors recommend scheduled scans in addition to real-time 
scanners.

Going with your argument to rely on real-time scans, those "embedded" malware files, ignored by the 
real-time scan, would then be stored on your systems.  It does happen that real-time scanners are sometimes 
either accidentally or purposely turned off.  Perhaps the real-time scanning service unexpectedly didn't 
start on the mail server because of a patch or a startup conflict.  Perhaps a user turned off their desktop 
real-time scanner because it interfered with a software install, or because it was causing a performance 
impact while they were crunching a complicated computation.  Then there is the otherwise intelligent users 
who naively report "I turn it off because I'm protected behind the company firewall."  Even the 
savviest user could forget to turn the real-time scanner back on before opening other files.  Those computers 
are vulnerable to the now lurking "embedded" malware files, with no protective real-time scan 
barrier.  The user just has to touch the file...

Real time scanning is very important, certainly a powerful and favorite tool.  
Yet relying solely on real-time scanning is inadequate.  It is worthwhile to 
run regular scheduled scans, in addition to real-time scans.  Layers of 
defense...

- CSewell

-----Original Message-----
From: Robert Sandilands [mailto:rsandilands@authentium.com] Sent: Thursday, December 29, 2005 9:14 AM
To: focus-virus@securityfocus.com
Subject: Re: Do we still need scheduled scan?

Hi Cathy,

Real-time scanners should catch all malware that can directly affect you. But it may decide not to scan that 500 MB zip file for performance reasons. That file may contain a virus and a scheduled scan will detect that. But there is no direct way you can be affected by that virus without extracting the file, at which time the real-time scanner will protect you.

Robert Sandilands

Sewell, Cathy wrote:



From discussions with the anti-virus vendors during various crises over the years, I've learned that the real-time scans are optimized for speed, while the scheduled scans are focused on thoroughness. This means, disturbingly, that malware can elude the real-time scan, yet be caught by the more-thorough scheduled scan. Hence the anti-virus vendors continued recommendations to run weekly scheduled local scans on all computers. 

- CSewell

-----Original Message-----
From: Doug Fox [mailto:dfox168@hotmail.com] Sent: Wednesday, December 28, 2005 2:28 PM
To: focus-virus@securityfocus.com
Subject: Do we still need scheduled scan?

If we have already implemented virus scan at the gateway, on the mail server, on individual servers, and real time scan on workstations/laptops, do we still need scheduled, e.g., weekly, scan on workstations and laptops as well as servers?

Schdeuled scans really slow down some machines.

Any comments are appreciated.

Thanks,

Doug











--
#include http://robert.rsa3.com/disclaimer.html



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Do we still need scheduled scan?, Sewell, Cathy
Next by Date:  RE: Do we still need scheduled scan?, Dowling, Gabrielle
Previous by Thread:  RE: Do we still need scheduled scan?, Sewell, Cathy
Next by Thread:  RE: Do we still need scheduled scan?, Dowling, Gabrielle
Indexes:  [Date] [Thread] [Top] [All Lists]