it may sound silly but I have a question regarding scheduled scan on users’ machines.
We have VSE8.7i on all users machines and scheduled a weekly scan every Thursday at 1230,
It’s set to scan all files, and only use 10% of resources and it’s been set up like this for many years.
I think it’s schedule to run on Thursdays because MccAfee used to release new DAT file every Thursday before.
Anyhow, some user mentioned the performance drop of their PC during the scan,
and CIO decided to disable this weekly scan for the following reasons;
· WebSense web filter stops threat from the Internet
· WebSense hosted Email security stops threat coming
· GroupShield on Exchange as well as the WebSense hosted Email security
· And VirusScan on all servers and PCs
· Therefore, in theory all entrance are protected.
· Weekly scan doesn’t prevent infection
I can see how he came up with this idea and I have no reason other than “just for precaution” to keep the scheduled scan.
Do you think scheduled scan is not important in corporate envirouinmet providing DAT and Engine are kept up-to-date?
If it is important to keep the scheduled scan, what would be the possible scenario we should consider?
Any advise is much appreciated.
McAfee releases DAT updates daily and now with the integration of the Global Threat Intelligence(Artemis), You are better protected from Zero day threats. I would reckon that it is important for you to have a scheduled scan.
You might want to schedule your scan at such times when the users are not working on the computer or on the weekends if your computers are left switched on. That way, you wil be sure to have the scans completed and not have the users feel the performance blues.
Although the attack vectors your CIO stated are true and covered for "known" malware, what he is missing is the scenario where devices become infected with "zero-day" exploits (exploits where there is no signature for yet). Artemis is a step in the right direction for those "zero-days" but there is still a window where a device could have some "badness" dropped on the machine. With that said, the only time the malware would get detected would after McAfee releases a signature and then you would need to access the malware or read it into memory for OAS to pick it up. Running a full ODS would be the best option to pick up the malware that might now be detected by the new signature. Hence, I would recommend a full ODS at least once a week for desktop devices, maybe once a month for servers an possibly more frequently for mobile type devices such as laptops and tablets which tend to travel beyond the protection of the corporate controls.
I hope this helps,
I can give you a lovely scenario to go with this one...
You drop scheduled scans
Mcafee bring online detection for a threat thats been going on for a while but you havn't yet had detection for (happens all the time)
Your machines spend the next 2 days grinding to a halt (as does your epo server) with the huge amount of generated events (even with throttling)
You end up having to scan at more active times to try and clear the newly detectable threat down to manageable proportions.
Also even if you can only scan a small percentage of the estate its worth it as it may show up some pointer files that point to a currently undetectable infection.
I have the problem of saving Carbon over security myself, evening scans every night get shut down after small time due to business promising to save energy, and when you ask for an extra hour on automated shutdown its like you want to have a human sacrifice. Of course if they get a widespread infection it will cost x hundred thousand pounds in business but thats just a risk.
Thanks very much Sameer, Spork, tonyb99
>I have the problem of saving Carbon over security myself
I understand, I was thinking of scanning after work hours, but same problem here.
Does WOL work even if the machines are powered down?
I don't know if we can use wake-on-LAN, and run the scheduled scan out-of-hours, maybe over the weekend or something
Unfortunately, ePO will not able to wakeup the clients when its not available or powerdown?
For ePO to do any activity, the machine should be atleast powered on regardless user is logged on or not.
I will not suggest you to run ODS daily.
In VSE, we even have OAS that will scan the files/exes when its accessed.
Running ODS once/twice in a week in off hours should be ok.