1 Reply Latest reply on May 21, 2010 3:02 AM by Attila Polinger

    Access Protection Vs. On-Action Scan

      I'm using VirusScan Enerprise 8.7.Oi. I noticed that in the VirusScan Console, Access Protection is disabled, although the prevent McAfee services from being stopped box is checked. The on-access scan is enabled. What is the difference between Access Protection and on-access scanning? I know that in the past, the access protection rule to prevent mass mailing worms from sending mail caused problems with other software, and although I could uncheck it, it kept rechecking. I'm happy to not have to deal with that, but do I need to have the access protection enabled? Thank you.

        • 1. Re: Access Protection Vs. On-Action Scan
          Attila Polinger

          Hello,

           

          basically access protection blindly controls access by processes to some specific system areas or ports that are usually targeted by malware. On access scan hooks file operations and checks file contents (using signature and heuristics).

          Access protection could be useful to complement on access scanner, when a so far unidentified - and for on access scanner invisible - malware performs the usual steps to plant itself or an already planted malware performs its activity (like sending mail). These steps could include: registration to autorun, registration as browser helper/start page, registration as a device (CLSID), etc.

           

          You can use access protection with caution. Normally you can take a strict approach or a delayed approach. Strict approach means you enable blocking and logging of most characteristic access protection rules that would prevent a trojan installation. Then make exceptions to these rules based on feedback from admins or users. Delayed approach means you only enable logging in the same rules, and often check access protection logs (or ePolicy events of the same) and make exceptions; and after some time you enable blocking.

           

          You can also create your own access protection rules in case the existing ones are not fully covering your aim.

           

          /as for the rule getting re-checked, you mentioned here: a VirusScan client configuration may be controlled centrally by ePolicy Orchestrator via its agent, which enforces these configuration regularly to prevent unwanted local modification of VirusScan. In this case changes made by you are only temporary/

           

          Attila