cancel
Showing results for 
Search instead for 
Did you mean: 

VSE 8.8 on-access scan exlusion - USB

Hi,

I'm just wondering if it's a good idea to exclude the C:\ drive on READ (and let the scan on WRITE). This way, all other drives will be scan on READ / WRITE including the USB drives.

BTW, we have a full scan (read/write) once a week for all files including .zip, memory, process, all local drive, etc....

Thanks.

3 Replies
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: VSE 8.8 on-access scan exlusion - USB

Moved to VSE for better support.

---

Peter

Moderator

Reliable Contributor rmetzger
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: VSE 8.8 on-access scan exlusion - USB

Hi Stephane,

Welcome to these forums.


stephane.dontigny wrote:



Hi,



I'm just wondering if it's a good idea to exclude the C:\ drive on READ (and let the scan on WRITE). This way, all other drives will be scan on READ / WRITE including the USB drives.




ABSOLUTELY NOT a good idea. Eight to 10 years ago, I too thought this was an acceptable practice.

Since early April 2009, malware like Conficker, have existed which can spread by multiple means (not just USB). The Scan on Write (without Scan on Read) does not catch the infection because of several issues.

During the time the write takes place, the piece of malware can already been loaded into memory and is running by the time the scan on write occurs.

However, Scan on Read actually catches the infection by scanning before loading into memory and before Scan on Write actually happens.

Scan on Read is Essential, so much so, that it should not even be an option any more, in my humble opinion.

Quoting William Warren's Blog:

TLDR version

  • Scan When Writing to Disk does not scan while files are being written to disk; it scans files after they have been written to disk. That is also the time files can be Read from disk, meaning, a file can be Opened before the Write Scan occurs or completes. If the Scan When Reading from Disk option is disabled, you can be infected by known malware because it can be launched before the scan occurs.
  • Scan When Writing to Disk does not block access to files until a scan is complete; that is what Scan When Reading from Disk is for.

  • Scan When Writing to Disk does not guarantee a scan will occur; that is what Scan When Reading from Disk is for.

William Warren speaks at greater length on this in his blogs and I would highly recommend reading his info.

If performance is the issue you wish to address, there are many means available that can improve performance while leaving Scan on Read Enabled.

Consider these links.

McAfee KnowledgeBase - VirusScan Enterprise 8.8 Best Practices Guide

KB55139 — Understanding High-Risk, Low-Risk, and Default processes configuration and usage

On Access Scanner - Improve Performance & Maintain Security


You will need to analyze the bottlenecks in performance, then adjust the OAS process exclusions accordingly. This will be specific to your environment and is not generic.

A tool that may help in identifying the processes that are involved in your environment is available.

see URL=http://mer.mcafee.com/enduser/downloadmcprofiler.aspx


McAfee Profiler

McAfee Profiler captures top processes and files that are accessed by the VirusScan Enterprise (VSE) On-Access Scanner (OAS). Based on the data collected, an administrator can choose files or processes to exclude from scanning to lessen the impact on the system.

Additional information can be found here:

Hope this is Helpful.

Ron Metzger

Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: VSE 8.8 on-access scan exlusion - USB

Thanks Ron, I will take a look at it. For sure, I wont disable the On-Access Scan READ at all.

Thanks again.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community