Hi,
I'm just wondering if it's a good idea to exclude the C:\ drive on READ (and let the scan on WRITE). This way, all other drives will be scan on READ / WRITE including the USB drives.
BTW, we have a full scan (read/write) once a week for all files including .zip, memory, process, all local drive, etc....
Thanks.
Moved to VSE for better support.
---
Peter
Moderator
Hi Stephane,
Welcome to these forums.
stephane.dontigny wrote:
Hi,
I'm just wondering if it's a good idea to exclude the C:\ drive on READ (and let the scan on WRITE). This way, all other drives will be scan on READ / WRITE including the USB drives.
ABSOLUTELY NOT a good idea. Eight to 10 years ago, I too thought this was an acceptable practice.
Since early April 2009, malware like Conficker, have existed which can spread by multiple means (not just USB). The Scan on Write (without Scan on Read) does not catch the infection because of several issues.
During the time the write takes place, the piece of malware can already been loaded into memory and is running by the time the scan on write occurs.
However, Scan on Read actually catches the infection by scanning before loading into memory and before Scan on Write actually happens.
Scan on Read is Essential, so much so, that it should not even be an option any more, in my humble opinion.
Quoting William Warren's Blog:
TLDR version
William Warren speaks at greater length on this in his blogs and I would highly recommend reading his info.
If performance is the issue you wish to address, there are many means available that can improve performance while leaving Scan on Read Enabled.
Consider these links.
McAfee KnowledgeBase - VirusScan Enterprise 8.8 Best Practices Guide
KB55139 — Understanding High-Risk, Low-Risk, and Default processes configuration and usage
On Access Scanner - Improve Performance & Maintain Security
You will need to analyze the bottlenecks in performance, then adjust the OAS process exclusions accordingly. This will be specific to your environment and is not generic.
A tool that may help in identifying the processes that are involved in your environment is available.
see URL=http://mer.mcafee.com/enduser/downloadmcprofiler.aspx
McAfee Profiler captures top processes and files that are accessed by the VirusScan Enterprise (VSE) On-Access Scanner (OAS). Based on the data collected, an administrator can choose files or processes to exclude from scanning to lessen the impact on the system.
Additional information can be found here:
Hope this is Helpful.
Ron Metzger
Thanks Ron, I will take a look at it. For sure, I wont disable the On-Access Scan READ at all.
Thanks again.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA