I've been asked by management to evaluate switching on-demand scanning. Currently we have 10,000+ nodes running VSE 8.7 patch 2 and there are complaints of slowness during scanning. Really there is no good time to do this. I'm wondering if anyone with a similar node count could provide me with their configuration. We are running a scan task quite often and while I agree with doing the on-demand scanning less I was wondering what the risks are IE on-access scanner not finding anything with current dat or being overloaded and then on-demand scanner finding threat.
The other question is say we go to a monthly scan, if the device is not on during that time could we have it do a missed task at the same time on the consecutive day? Also is it possible to restart the scan doing only deltas should the scan be cancelled? We are also using EPO 4.5 to manage all of our nodes.
Thanks in advance.
A very common problem. Required to be safe but the cost of scanning is too high. For the risk of downtime and data loss, scanning is usually the biggest scapegoat for lost productivity, until you have the Event. Then, well, scanning becomes a necessary evil.
It's all about layers. This has to do with your environment and reducing vulnerabilities and managing risk. Basics like workstation patch levels, parameter defense, (firewall, gateway scanners for HTTP and email clients), and your workstation policies. Ideally, scanning during off hours is best. If that’s not possible then during lunch may suffice. If your environment can automate power cycling for workstations, then scanning in the early morning, around 4:00 am, with high CPU throttling is great and the systems are ready when users log in. This is also a great time to patch and upgrade McAfee VSE versions and products as well.
During the day is tough anytime. Users complain, it is their nature. Throttling the CPU utilization helps, but power users will always complain. Aggressive settings for on-access scanning, and good parameter scanning for all attachments, and HTTP traffic may allow you to reduce your weekly on-demand scanning requirements, where monthly scanning could suffice.
You could set the scanning to occur when the workstation is idle. Try test groups to see what works best. Use exclusions where appropriate, to reduce the impact on end users.
Also, upgrade to patch 3, and good luck.
This is an older conversation but it has not been relevant until now. My company wants to begin an on-demand scanning task for all workstations. We already have a task in operation for all servers but that was easier because McAfee provided exclusion lists. Does anyone know if McAfee provides something similar for workstations? How do I know what's safe and what's not?
To scan or not to scan.. When in doubt, Scan. With that said, it's best not to run ON-Demand-Scanning, ODS, during working hours because it interferes with On Access Scanning, OAS. Memory and CPU utilization would be impacted if you do both at the same time.
Run your scans in the off hours. Look into BIOS tools to turn on\off your workstations and schedule your scans in the middle of the night. A simple schedule would be as follows: Turn on all workstations at 2:00am or 3:00 am and initiate a scan schedule. They will be done by morning when employees come in to work. This is also a great time to update your workstation patching and policy updates, etc. There is a great McAfee KB article which lists recommended exclusions. Modify that for your needs and you should be set. With this method, you will be the hero of your company and will reduce the complaints so many McAfee administrators receive on a daily basis. Good Luck.
Thank you for your reply. Based on your comments, our environment may not be suitable for scheduling on-demand scans. We are a global company and it would be an impossible task to modify everyone's BIOS. Plus, most of our users have laptops which means their machines go home at night. You did mention a KB article. The only one I found was regarding server exclusions. Do you have a link for workstation exclusions?
This list came from an instructor in an ePO\VirusScan 8.7 class. As for BIOS tools, Microsoft has a free one that I believe is administered via active directory. Something like Alteris maybe.. I'm not sure, our administration group handles that. I'm sure you can find comparable solutions on the web to manage the on\off automation. In the ePO you could segregate the laptops and set separate schedules for them.
With patch 1 and later we redefined the "throttle" mechanism for the ODS. Instead of a percentage of system utilization (which is not the same as CPU) we moved to a thread priority model. It is enormously more efficient than our prior method of throttling, since we're leaving it to Windows to decide who gets CPU.
Set the throttle to 50% or lower. This corresponds to a "below normal" thread priority.
Then it shouldn't matter what time your schedule the ODS to run, because end users (for the most part) won't even know it's running.
Do not include ARCHIVE scanning as part of that task, because then your users WILL know it's running, and they'll send you hate e-mail . Archives are handled differently to normal files, and the scanning engine isn't able to honor the throttle setting.
Beyond that we have VSE 8.8 releasing later this year, which will include additional improvements that can potentially reduce the scan time duration greatly, depending on the system. It will still take advantage of the Windows thread priority model as that's the most efficient way for us to do ODS without impacting users or other applications that run at normal priority.
Good stuff guys. Thanks. This will help me a lot.
I do worry about the throttling since hard drives are getting cheaper and bigger which means more space to fill with crap and more stuff/time needed to scan. I guess I'll need to test out the throttling to make sure it finishes in a decent time period. To me, throttling just means I'm inconviencing people longer
Another way to speed up scanning and decrease the overall scanning time would be to implement "incremental" scanning.
If you scan runs every week you would set an exclusions for files older than 7 days (or 10 days to be more secure).
This will only scan files changed or new within the last 7 days and tremendously decrease overall scanning time.
Downside is that a possible malware could hide it self by faking the file date (if possible).
Oh yeah, I like that idea. I was wondering how the file date exclusion worked. Makes sense. But I do feel like I've seen virus files spreading through open shares with older creation dates. I'll have to check into that to make sure but maybe I could combine a mix of a full scan once a month and a weekly by date. Hmmm....gets my brain juices flowing.