1 Reply Latest reply on Apr 5, 2010 3:09 PM by SamSwift

    VirusScan 8.7i Enterprise - "Scan on Read"

      What are the dangers or risks associated with disabling the "scan on read" option for all processes?  Management at my firm has requested we only scan on write since enabling scaning on read for all processes negativley impacts system performance on both servers and workstations.  They believe that scanning on write is all that is required but I've read that this will expose us to malware that targets memory such as Conficker.  Unfortunately, I have found little information as to why this increases the risk of infection for malware that targets memory.  I would like to state my case but need some help in formulating a convincing argument based on fact not FUD.

        • 1. Re: VirusScan 8.7i Enterprise - "Scan on Read"
          SamSwift

          7-8 years ago support would often advise customers to switch off scan on read. Unfortunately it's somewhat common that scan setting configurations are carried forward as VSE is upgraded without ever reviewing whether or not these settings are good enough to deal with the current threat landscape.

           

          In answer to your question I would absolutely not recommend you switch this setting off for all processes. The risk is huge, and I have dealt with many outbreaks on customer sites where having the setting disabled has been a contributory cause of both the outbreak and pain during the cleanup. As you know, for malware to get into memory nothing has to be written to the drive.

           

          All is takes is a user plugging in a USB key with an infected file on and potentially your entire network is infected. If you're hit with something new that gets into memory for which we subsequently provide you a DAT file the machine can literally be riddled as OAS detections will only occur when any new files are written. Containing an outbreak in this scenario can be difficult if not impossible.

           

          What's better is to use the high and low risk processes options and configure them accordingly - that way you can control scanning depending on which process touches the file - see KB55139 and KB58692 for more information about this. Be very careful with exclusions too, as they are often inherited from version to version and never reviewed.

           

          Support can provide you with the VSE 8.5i best practice guide (the advice within very much applies with 8.7i), and if you're interested our professional service team also offer a healthcheck where they can come in and go over your configuration with you.

           

          I hope this helps,

           

          Sam

          1 of 1 people found this helpful