3 Replies Latest reply on Oct 28, 2015 2:28 PM by stephane.dontigny

    VSE 8.8 on-access scan exlusion - USB

    stephane.dontigny

      Hi,

       

      I'm just wondering if it's a good idea to exclude the C:\ drive on READ (and let the scan on WRITE). This way, all other drives will be scan on READ / WRITE including the USB drives.

       

      BTW, we have a full scan (read/write) once a week for all files including .zip, memory, process, all local drive, etc....

       

      Thanks.

        • 1. Re: VSE 8.8 on-access scan exlusion - USB
          exbrit

          Moved to VSE for better support.

          ---

          Peter

          Moderator

          • 2. Re: VSE 8.8 on-access scan exlusion - USB
            rmetzger

            Hi Stephane,

             

            Welcome to these forums.

            stephane.dontigny wrote:

             

            Hi,

             

            I'm just wondering if it's a good idea to exclude the C:\ drive on READ (and let the scan on WRITE). This way, all other drives will be scan on READ / WRITE including the USB drives.

            ABSOLUTELY NOT a good idea. Eight to 10 years ago, I too thought this was an acceptable practice.

             

            Since early April 2009, malware like Conficker, have existed which can spread by multiple means (not just USB). The Scan on Write (without Scan on Read) does not catch the infection because of several issues.

             

            During the time the write takes place, the piece of malware can already been loaded into memory and is running by the time the scan on write occurs.

            However, Scan on Read actually catches the infection by scanning before loading into memory and before Scan on Write actually happens.

             

            Scan on Read is Essential, so much so, that it should not even be an option any more, in my humble opinion.

             

            Quoting William Warren's Blog: On Access Scanner: Write Scan - It doesn't work like that.

            TLDR version

            • Scan When Writing to Disk does not scan while files are being written to disk; it scans files after they have been written to disk. That is also the time files can be Read from disk, meaning, a file can be Opened before the Write Scan occurs or completes. If the Scan When Reading from Disk option is disabled, you can be infected by known malware because it can be launched before the scan occurs.
            • Scan When Writing to Disk does not block access to files until a scan is complete; that is what Scan When Reading from Disk is for.

             

            • Scan When Writing to Disk does not guarantee a scan will occur; that is what Scan When Reading from Disk is for.

             

            William Warren speaks at greater length on this in his blogs and I would highly recommend reading his info.

             

            If performance is the issue you wish to address, there are many means available that can improve performance while leaving Scan on Read Enabled.

             

            Consider these links.

            McAfee KnowledgeBase - VirusScan Enterprise 8.8 Best Practices Guide

            KB55139 — Understanding High-Risk, Low-Risk, and Default processes configuration and usage

            On Access Scanner - Improve Performance & Maintain Security


            You will need to analyze the bottlenecks in performance, then adjust the OAS process exclusions accordingly. This will be specific to your environment and is not generic.

             

            A tool that may help in identifying the processes that are involved in your environment is available.

            see URL=http://mer.mcafee.com/enduser/downloadmcprofiler.aspx


            McAfee Profiler

            McAfee Profiler captures top processes and files that are accessed by the VirusScan Enterprise (VSE) On-Access Scanner (OAS). Based on the data collected, an administrator can choose files or processes to exclude from scanning to lessen the impact on the system.

            Additional information can be found here:

             

            Hope this is Helpful.

            Ron Metzger

            • 3. Re: VSE 8.8 on-access scan exlusion - USB
              stephane.dontigny

              Thanks Ron, I will take a look at it. For sure, I wont disable the On-Access Scan READ at all.

               

              Thanks again.