5 Replies Latest reply: Mar 13, 2014 7:24 AM by iwhy RSS

    Choice of time for running Active User On Demand Scan in VSE8.8

    iwhy

      Hi, I have a question Active User On Demand Scan in VSE8.8.

      As recommended by VSE8.8 best practice guide, we should run this Active User On Demand Scan at weekly or even daily. My question when will be the best time to be chosen to run this scheduled task if the scan frequency is set at daily? Any considerations on the choice of scan time for it? My understanding is only a user is logging onto the system during the scheduled time, then the scan task is tricked. If no active user ever logs on to a system for a particular day, no scan will be run? Is this understanding correct? My experience is if the scheduled time is set at 10AM in the morning, which is normally the "perk hours" for users to login to carry out their daily jobs heavily with systems and applications. And quite often, it will cause high CPU utilization. If we change the scan time to "non-perk hours", like lunch hours or even off-office hours for this Active User On Demand Scan daily task, can this choice of time be justified? Thanks

       

        • 1. Re: Choice of time for running Active User On Demand Scan in VSE8.8
          frank_enser

          Hi,

           

          the ODS will also start if there is no user logged on. Normally you schedule the ODS on servers in non-peek hours (nights, weekends, ...). You will ALWAYS get complants from users with ODS on workstations :-). So be sure to set the ODS system utilization within the client task to low, so the impact to end users will be minimal.

          • 2. Re: Choice of time for running Active User On Demand Scan in VSE8.8
            rmetzger

            Hi iwhy,

             

            Welcome to the forums.

            iwhy wrote:

             

            As recommended by VSE8.8 best practice guide, we should run this Active User On Demand Scan
            at weekly or even daily.

            This is true, but depends on your site's needs and activities. Laptops and portable devices are much harder to control and some desktops use, may need more or less controlled scans based on likely user activity. Servers complicate this even further.

             

             

            iwhy wrote:

             

            My question when will be the best time to be chosen to run this scheduled

            task if the scan frequency is set at daily?

            Any considerations on the choice of scan time for it?

            Several 'things' might adjust the schedule. I set up several different scans that run at different times throughout the week.

            1) Daily Scan, 5:30 pm local: RAM, Rootkit, Processes, Profile, exclude MAPI on systems with large email storage

            2) Weekly Scan, 5:30 pm local, Wednesday: RAM, Rootkit, Processes, Local Hard Drives, exclude MAPI on systems with large email storage

            3) Weekly Scan, 5:30 pm local, Sunday: Full Scan, includes everything

             

            In each case, I make sure to get DAT updates prior to Scan. This usually is the biggest performance hit noticed by users.

            Also, set Scan Priority to Low, to minimize performance impact.

             

            Scan 1) Generally doesn't impact performance much. Since I have it scheduled just after regular users have left for the day, I don't get any real problems. However, I do schedule a scan to start within 15 minutes (with a random 15 minute delay) if the user left the computer off, the night before.

             

            Scan 2) Same as Scan 1 above, taking priority over Scan 1. I use Wednesday as this is the least likely day to be taken Off or have a holiday, which might leave the system off.

             

            Scan 3) Full scan, run on the day least likely to interfere with users and performance. I set this scan to run against the entire drive including large MAPI data stores, which can take many hours. So, my users return Monday morning and this scan has completed.

             

             

            iwhy wrote:

             

            My understanding is only a user is logging onto the system during the scheduled time,

            then the scan task is tricked. If no active user ever logs on to a system for a particular

            day, no scan will be run?

            Is this understanding correct?

            No. As Frank Enser stated, the user does not need to be logged on. The ODS jobs actually run as System, not as a User. As long as the computer is on, the job will run. I typically tell my clients to either Log off or Restart their system prior to leaving at night. (To save energy, I suggest shutting down only the monitor. This leaves the CPU running and able to receive updates, run scans, backup, etc.) By having the user restart or log off ensures that there are no programs still running which could interfere with nightly processes.

             

             

            iwhy wrote:

             

            My experience is if the scheduled time is set at 10AM in the morning, which is normally
            the "perk hours" for users to login to carry out their daily jobs heavily with systems and
            applications. And quite often, it will cause high CPU utilization.

            Set the ODS Scan Priority to Low. This should minimize it's impact on performance.

             

             

            iwhy wrote:

             

            If we change the scan time to "non-perk hours", like lunch hours or even off-office

            hours for this Active User On Demand Scan daily task, can this choice of time be justified?

            It's all about the complete strategy you need. I think it works better to adjust to the end-user needs, not just sticking to the defaults. See my strategy above. Your mileage may vary.

             

            A good guide to read might be "VSE v8.8 Best Practices Guide"

            http://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/2 2000/PD22940/en_US/vse_880_best_practices_guide.pdf

             

             

            Good luck; I hope this helps.

            Ron Metzger

             

            Message was edited by: rmetzger (Improve readability) on 3/11/14 12:11:57 PM EDT

             

            on 3/11/14 12:16:13 PM EDT

             

            Message was edited by: rmetzger (Added link) on 3/11/14 12:22:35 PM EDT
            • 3. Re: Choice of time for running Active User On Demand Scan in VSE8.8
              iwhy

              Hello, Frank & Ron, Many thanks for your answers & help.

               

              Frank's answer lets me know I got a wrong understanding of how active user ODS works. This basic misconception leads to setting the schedule scan time at 10AM daily when the users should logon to systems so that I suppose the scan job will probably not be missed out. Now that I know I can set it at any point of time regardless user logon status. Just a further query, why is this scan named as "Active User" scan?

               

              Ron's explanation does a lot of help. It gives me a useful case for reference. I think I will start working on it the similar way: figure out a complete strategy based on my environment as well as user needs; break down the regular scan to more granular sub-scans;...etc

               

              Thanks again, I feel I will learn a lot knowledge/best practices from this forum in the future, this is great..

              • 4. Re: Choice of time for running Active User On Demand Scan in VSE8.8
                rmetzger

                Hi iwhy,

                iwhy wrote:


                Just a further query, why is this scan named as "Active User" scan?

                 

                Thanks again, I feel I will learn a lot knowledge/best practices from this forum in the future, this is great..

                I think "Active User" scan, means creating a scan where the user might be Actively using the system. In this case, respect what is scanned so not to overly burden the system (performance).

                 

                Typically, it is called an On-Demand Scan (ODS). On-Demand can be scheduled via the ePO, Jobs within VirusScan Console, or Interactive by the request of the End User.

                 

                 

                Best Practices Guide, pg 15, wrote:

                 

                Configuring Essential Security

                7. Configuring regular on-demand scans

                 

                Configuring frequent active user on-demand scans

                 

                McAfee suggests configuring specific active user workstation on-demand scans, as opposed to

                server on-demand scans. These active user on-demand scans should be run more frequently

                than other scans, but since they have limited locations to scan should not impact the users.

                 

                These scans only include the following scan locations:

                • User profile folder

                • Cookies

                • Temp folder

                • Registry

                • Registered files

                • Windows folder

                 

                These scan locations are frequent targets of malware attacks and should be scanned at least

                weekly, or even daily.

                Glad to help. Look forward to your questions.

                 

                Thanks,

                Ron Metzger

                 

                Message was edited by: rmetzger on 3/11/14 1:19:52 PM EDT

                 

                Message was edited by: rmetzger on 3/11/14 1:26:27 PM EDT
                • 5. Re: Choice of time for running Active User On Demand Scan in VSE8.8
                  iwhy

                  Tks, I will update this thread after the Active User ODS scan is adjusted/tested.