cancel
Showing results for 
Search instead for 
Did you mean: 

VSE 8.8 on-access scan exlusion - USB

Hi,

I'm just wondering if it's a good idea to exclude the C:\ drive on READ (and let the scan on WRITE). This way, all other drives will be scan on READ / WRITE including the USB drives.

BTW, we have a full scan (read/write) once a week for all files including .zip, memory, process, all local drive, etc....

Thanks.

3 Replies
exbrit
Level 21
Report Inappropriate Content
Message 2 of 4

Re: VSE 8.8 on-access scan exlusion - USB

Moved to VSE for better support.

---

Peter

Moderator

Re: VSE 8.8 on-access scan exlusion - USB

Hi Stephane,

Welcome to these forums.


stephane.dontigny wrote:



Hi,



I'm just wondering if it's a good idea to exclude the C:\ drive on READ (and let the scan on WRITE). This way, all other drives will be scan on READ / WRITE including the USB drives.




ABSOLUTELY NOT a good idea. Eight to 10 years ago, I too thought this was an acceptable practice.

Since early April 2009, malware like Conficker, have existed which can spread by multiple means (not just USB). The Scan on Write (without Scan on Read) does not catch the infection because of several issues.

During the time the write takes place, the piece of malware can already been loaded into memory and is running by the time the scan on write occurs.

However, Scan on Read actually catches the infection by scanning before loading into memory and before Scan on Write actually happens.

Scan on Read is Essential, so much so, that it should not even be an option any more, in my humble opinion.

Quoting William Warren's Blog:

TLDR version

  • Scan When Writing to Disk does not scan while files are being written to disk; it scans files after they have been written to disk. That is also the time files can be Read from disk, meaning, a file can be Opened before the Write Scan occurs or completes. If the Scan When Reading from Disk option is disabled, you can be infected by known malware because it can be launched before the scan occurs.
  • Scan When Writing to Disk does not block access to files until a scan is complete; that is what Scan When Reading from Disk is for.

  • Scan When Writing to Disk does not guarantee a scan will occur; that is what Scan When Reading from Disk is for.

William Warren speaks at greater length on this in his blogs and I would highly recommend reading his info.

If performance is the issue you wish to address, there are many means available that can improve performance while leaving Scan on Read Enabled.

Consider these links.

McAfee KnowledgeBase - VirusScan Enterprise 8.8 Best Practices Guide

KB55139 — Understanding High-Risk, Low-Risk, and Default processes configuration and usage

On Access Scanner - Improve Performance & Maintain Security


You will need to analyze the bottlenecks in performance, then adjust the OAS process exclusions accordingly. This will be specific to your environment and is not generic.

A tool that may help in identifying the processes that are involved in your environment is available.

see URL=http://mer.mcafee.com/enduser/downloadmcprofiler.aspx


McAfee Profiler

McAfee Profiler captures top processes and files that are accessed by the VirusScan Enterprise (VSE) On-Access Scanner (OAS). Based on the data collected, an administrator can choose files or processes to exclude from scanning to lessen the impact on the system.

Additional information can be found here:

Hope this is Helpful.

Ron Metzger

Re: VSE 8.8 on-access scan exlusion - USB

Thanks Ron, I will take a look at it. For sure, I wont disable the On-Access Scan READ at all.

Thanks again.