4 Replies Latest reply on Jul 27, 2016 9:26 AM by PhilR

    On Demand Scan Detecting Items Missed by On Access Scan

    McDuff

      Greetings

       

      Wondering if you can help solve this mystery.  We're noticing that our weekly on demand scanner is finding malware, but we're wondering why these malware are not being discovered by our on access scanner, since we have it enabled for both read and write, with minimal exclusions and not in the locations where the malware is found (usually somewhere like c:\Documents and Settings\<user>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5) . The only thing I can think of is that perhaps the malware was written to disk prior to the DAT file being able to recognize it.

       

      Any ideas?  Is there any way that malware can be written to disk without the on access scanner discovering it, yet the on demand scanner can discover it?

        • 1. Re: On Demand Scan Detecting Items Missed by On Access Scan
          dvarnell

          If the file got onto disk before it was added to the production DATS, then this could happen. If you restore the file from quarantine, then attempt to access the file (such as a right click -> properties,) does it get detected by the OAS? Also, if it is being detected by Artemis, you may have a higher sensitivity on your ODS set compared to your OAS.

          • 2. Re: On Demand Scan Detecting Items Missed by On Access Scan
            rmetzger

            McDuff wrote:

             

            We're noticing that our weekly on demand scanner is finding malware, but we're wondering why these malware are not being discovered by our on access scanner, since we have it enabled for both read and write, with minimal exclusions and not in the locations where the malware is found (usually somewhere like c:\Documents and Settings\<user>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5) . The only thing I can think of is that perhaps the malware was written to disk prior to the DAT file being able to recognize it.

             

            Any ideas?  Is there any way that malware can be written to disk without the on access scanner discovering it, yet the on demand scanner can discover it?

            What you are observing is exactly why an On-Demand Scan is needed.

             

            On-Access catches only what is read and written in real time with whatever DAT signatures currently installed. As new malware is discovered, DAT signatures get updated relatively soon after the discovery. Files previously written to disk, before the signatures and DAT files are updated, can remain on the disk for a substantial time. If that file is neither read or moved, the On-Access Scanner, even with updated DAT files, will not see the malware infected files.

             

            Thus, the On-Demand Scanner (ODS) is employed to catch what the On-Access Scanner misses. With proper configuration, the ODS can minimize exposure and acts as one more layer of protection against security threats.

             

            With only the limited info provided, it sounds like your configuration is working as expected. As the number of nodes increases, so will these discoveries. I would feel good about the discoveries, but would take further action as needed. I would look at what is discovered and on what nodes, then evaluate if better user education or increased scanning on those nodes would be useful. Check the logs and follow thru on what additional steps that may be needed to keep your customer base secure. Document what is happening, steps you take, and reasons. Use that later to get buy-in from management and justify budgets and raises later.

             

            Sounds like you are staying on top of things. Keep up the good work.

             

            Thanks, and good luck.

             

            Ron Metzger

            • 3. Re: On Demand Scan Detecting Items Missed by On Access Scan
              aus_mick

              I agree with Ron's comments. If your finding a large number of misses by the OAS then you might consider reviewing the McAfee best practice recommendations for ODS and implement a daily scan of the locations most vulnerable to malware infection (refer KB74059).

               

              As a sidebar I recommend you exercise caution when implementing scan exclusions in both OAS and ODS components. In my opinion your approach should be to treat scan exclusions across the OAS/ODS components as mutually exclusive to avoid the scenario where a file is never scanned e.g. OAS exclusion: C:\myfolder\*.doc and ODS exclusion C:\myfolder\. If your having performance issues attributable to OAS then I suggest you investigate if low/high risk processes policies are appropriate. William Warren (wwarren) has written a article that articulates this beautifully (refer here).

               

              HTH,

              Mick

              • 4. Re: On Demand Scan Detecting Items Missed by On Access Scan
                PhilR

                As a file can't do damage without being accessed, On-Access scans should be enough.

                 

                Consider the risk of havoc wreaked by a bad false-positive in an on-demand scan.

                 

                Cheers,

                 

                Phil