texastwostep
asked on
Symantec scanning workstations?? Not so sure.
We are running Symantect on our server. I know for a fact that our anti-virus definitions are being updated daily or as needed. I see that scan are set to run on each workstation from the server side software. However, it appears that it's only scanning when they log in, and when I view their history on their local desktops it shows a 'defwatch scan.' I looked up defwatch on Symantec.com and it appears that it's only scanning memory, for spyware and adware. This scan takes less than 1 minute.
a. Shouldn't there be a scan run on boot sector at least? How can I set that on my server side software? I do not see the option anywhere.
b. Once a week?
c. I'd like to view the logs of each to make sure a full scan was run.
d. Do they need to be logged out, programs closed, rebooted or what?
I'm not even sure I'm getting a full scan on my server so I'd like to check that too.
Thanks.
texastwostep >>
a. Shouldn't there be a scan run on boot sector at least? How can I set that on my server side software? I do not see the option anywhere.
b. Once a week?
c. I'd like to view the logs of each to make sure a full scan was run.
d. Do they need to be logged out, programs closed, rebooted or what?
I'm not even sure I'm getting a full scan on my server so I'd like to check that too.
Thanks.
texastwostep >>
ASKER
Maybe i didn't phrase my question correctly.
What I want to know is:
Should I be scanning for more than just those files currently loaded in memory?
Should I do a full scan once a week?
We are behind a Firewall. Using version 10.0.
Thanks.
What I want to know is:
Should I be scanning for more than just those files currently loaded in memory?
Should I do a full scan once a week?
We are behind a Firewall. Using version 10.0.
Thanks.
texastwostep,
The QuickScan technology (as described via the link in my first post) is designed to avoid having to do a 'full' scan each time.
It could be seen to work as follows perhaps ... as new virus definitions arrive, QuickScan 'knows' the machine is already clean (from the last full / quick scan and the real-time protection) and will therefore just do a 'quick scan' of the relevant Registry/File 'entry points' for the NEW viruses/malware in the latest definitions. (Bear in mind this is probably an over-simplistic view of what actually happens in real-life!)
However, to answer your second point... definitely 'Yes' - it's good practice to do periodic full scans of all your systems - how often really depends upon the other (boundary) defences you have in place perhaps, how much impact the full scan has on the computer/user and how paranoid you are! However, a weekly scan is probably a good maximum period between scans.
cheers,
The QuickScan technology (as described via the link in my first post) is designed to avoid having to do a 'full' scan each time.
It could be seen to work as follows perhaps ... as new virus definitions arrive, QuickScan 'knows' the machine is already clean (from the last full / quick scan and the real-time protection) and will therefore just do a 'quick scan' of the relevant Registry/File 'entry points' for the NEW viruses/malware in the latest definitions. (Bear in mind this is probably an over-simplistic view of what actually happens in real-life!)
However, to answer your second point... definitely 'Yes' - it's good practice to do periodic full scans of all your systems - how often really depends upon the other (boundary) defences you have in place perhaps, how much impact the full scan has on the computer/user and how paranoid you are! However, a weekly scan is probably a good maximum period between scans.
cheers,
ASKER
thank you. any way to view a log on the server or workstation to see if there were any 'things' that stood out? I am really having a problem with Symantec!
Defwatch scan is also the scan that runs after a virus definitions update. What happens is after a virus def update defwatch kicks in and scans the quarantine to see if it can repair any of the viruses it caught. Since most all viruses no days are purely viral code they will never be repaired. I would recommend disabling defwatch scan alltogether.
Open the Symantec System Center
unlock your server group and right click your primary server
go to all tasks-->Symantec Antivirus-->Quarantine Options
Under the part that says "when new virus definitions arrive"
set it to do nothing
If you would like to view the logs of a server
in the Symantec System Center
right click the server and all tasks-->Symantec Antivirus-->logs and then which ever log you would like to view
If you want to look at the logs of a client individually you have to do a couple of things first
In the Symantec System Center
click tools-->ssc console options
go to the client display tab
check the boxes and click apply
now you will see all of the clients and be able to right click on them and all tasks-->Symantec Antivirus-->logs same as the server
give fostejo credit as the quick scan will show as a defwatch scan as well.
If you check your logs you will also see that there is a defwatch scan corresponding to every single liveupdate definition update.
Hope this helps friend!
Open the Symantec System Center
unlock your server group and right click your primary server
go to all tasks-->Symantec Antivirus-->Quarantine Options
Under the part that says "when new virus definitions arrive"
set it to do nothing
If you would like to view the logs of a server
in the Symantec System Center
right click the server and all tasks-->Symantec Antivirus-->logs and then which ever log you would like to view
If you want to look at the logs of a client individually you have to do a couple of things first
In the Symantec System Center
click tools-->ssc console options
go to the client display tab
check the boxes and click apply
now you will see all of the clients and be able to right click on them and all tasks-->Symantec Antivirus-->logs same as the server
give fostejo credit as the quick scan will show as a defwatch scan as well.
If you check your logs you will also see that there is a defwatch scan corresponding to every single liveupdate definition update.
Hope this helps friend!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I see on my server it is only running defwatch several times a day. Is that sufficient? thanks.
You don't mention which version of Symantec A/V you're using but, if it's one of the later versions the following article describing the QuickScan technology may be of use. QuickScan scans just the files currently loaded in memory and "common virus and security risk loading points"
http://service1.symantec.com/SUPPORT/ent-security.nsf/4c7874c886a9bb0c88256fc700654267/08fc207241a2f52288256fd50080ab9b?OpenDocument&src=bar_sch_nam&seg=ag
The same page also details how to disable this functionality.
cheers,