What are the advantages of running both On Demand Scan and On Access Scan on a system. What extra On Demand Scan will do which On Access Scan Cant do. If there is a file infected with Virus if it is opened On Access Sacn will catch that. When On Demand scan runs that will also catch it. so what is the diffrence. Am i missing out on anything?
Thanks for posting on the community.
Your statement is indeed correct but for example if a malware was dropped on to the system without it being actively loaded or accessed it would remain on the system undetected until an ODS task was executed or it was loaded by a user. So to avoid the risk of it being executed, running an ODS task is advised.
When we are talking about On-Access Scan (OAS) and On-Demand Scan (ODS), we are talking about 2 different functions where one of them, as you already know, is real time scanning and second one is more like health check of what is on system.
There are 2 used case scenarios why both of them should be used.
01. There was no detection at the time when Malware was written on machine
So, this one is self-explanatory. At the time when Malware is maybe written to HDD, it was unknown and now it just sits there. And yes, argument is if something access it later on it should be detected then by OAS, but also what if you remove AV protection at some point and your machine is unprotected for any reason, is it worth of risk?
Other option, that is even more lickely, is that you may have detection, but file is located in some excluded folder or accessed by excluded process and OAS doesn't act against it even if detection is present, which is also part of my next scenario.
02. Sometimes exclusions are just needed and you want to make sure nothing fishy is going on.
So like we said, OAS is real time scan where if some process tries to read something from HDD or write something on HDD it gets intercepted for the file to be scanned before it gets allowed to perform action in place. That interception can be super short, but like in real world in world of software we also have lot of if behaving like, let us say, divas.
The diva processes are not accepting to have any delay or any interruption from any AV software, not only McAfee, regardless how brief that interruption or interaction may be. They want their file accesses and they want it now and they are not allowing any "Paparazzi" AV to look at them and what they are doing.
As any AV company, we want to scan everything to ensure your are fully protected, however, we do understand the need for something to be excluded from our scan and we allowed those exclusions to be configured based on application venror's recommendation hence we have KBs like:
*** Consolidated list of Endpoint Security/VirusScan Enterprise exclusion articles
*** Understanding High-Risk, Low-Risk, and Default processes configuration and usage
*** Why some processes should be added to low-risk exclusions
So there is possibility that some processes in your environment may be out of reach for OAS when they are performing "transactions" or some locations on your HDD will not be reachable to OAS, like some tax havens and because of that we have ODS to play the role of IRS, maybe every 7 days if everything is OK and we follow:
*** Best practices for on-demand scans in Endpoint Security and VirusScan Enterprise
and make sure there is no fishy business, especially if you are using just one standard configuration instead Standard/High Risk/Low Risk one and have lot of file/folder exclusions.
Because of exclusions VSE will be there NOT to interfere with sensitive programs with OAS when they operate, however, with ODS will make sure to check what they are actually writing in those locations at least once a week.
Conclusion is that there is no really "On Demand Scan Vs On Access Scan", because they are playing different roles on machine and, as you may see based on 2 used scenarios, they are complementing each other.
I hope this helps.