I have a user that unwisely downloaded the postalreceipt.zip file and unzipped it. SCCM shows the file existed on the system 22 Jan. It wasn't until a scan was run 7 days later that VSE found and deleted the Trojan.
I have noticed this wtih several recent detections - SCCM shows the files as of one date but VSE doesn't detect the files until a scan is run.
Shouldn't VSE hit on these files as they are downloaded to the machine, not just during a scan?
It is very possible the file was not known as a threat when originally written to the system; dats update daily.
It is also possible your ODScan is set to scan archive files where your OAScan is not.
This is one reason I like to schedule daily scans for user folders only; low utilization, targeted scans to reduce complaints. Should take about 5 minutes to complete.
Great idea about scanning user folders daily.
I did check the policy yesterday and found .zip files were excluded from scans. That's enabled now
I like running the daily scans on user folders, temps & recycle bin. Set the GTI to high or very high; exclude files older then 30 days and set the resource utilization to very low.. Scans should go undetected by users.
You will be very surprised what is found in Java and temp folders.