sunhux
asked on
Guideline for zipped & non zip files to be excluded from scanning
Trend's Deep Security has given us list of files (DB, certain Sharepoint files etc) to be excluded from
their AV scan as they will cause issue.
Trend's support has advised that zip files (esp those with many files zipped into one zip) will take
more resources to be unzipped, scanned & was told Deep Security will rezip it back. They advised
that malware/viruses usually tend to infect smaller files & rarely infect big files but did not give
specific sizing of the files & the size of zip & non-zip files that will trigger systems performance
impact.
Anyone / any other AV products has any white paper / guidelines on
a) what's the file size above which malware generally won't infect
b) at what sizings (& number of files in a zip) that it's recommended
not to scan so as not to affect performance. In particular I have
customer/tenants that use our facilities & publish zip & non-zip
files & I would say it's fair if it takes 30 seconds to scan a published
file, above which, the user will get unhappy
We run DS on-demand and realtime scan in Windows 2008 R2,
RHEL 5.x/6.x (realtime only) & Solaris x86 (on-demand)
their AV scan as they will cause issue.
Trend's support has advised that zip files (esp those with many files zipped into one zip) will take
more resources to be unzipped, scanned & was told Deep Security will rezip it back. They advised
that malware/viruses usually tend to infect smaller files & rarely infect big files but did not give
specific sizing of the files & the size of zip & non-zip files that will trigger systems performance
impact.
Anyone / any other AV products has any white paper / guidelines on
a) what's the file size above which malware generally won't infect
b) at what sizings (& number of files in a zip) that it's recommended
not to scan so as not to affect performance. In particular I have
customer/tenants that use our facilities & publish zip & non-zip
files & I would say it's fair if it takes 30 seconds to scan a published
file, above which, the user will get unhappy
We run DS on-demand and realtime scan in Windows 2008 R2,
RHEL 5.x/6.x (realtime only) & Solaris x86 (on-demand)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Just thought of MS Excel (& a recent Powerpoint vulnerability) that may
have malicious macros : Ok, the largest Excel/Ppt file I've seen is 20MB.
We may have users uploading Excel to Sharepoint servers/VMs, so I
guess 20 MB is a decent magical number
have malicious macros : Ok, the largest Excel/Ppt file I've seen is 20MB.
We may have users uploading Excel to Sharepoint servers/VMs, so I
guess 20 MB is a decent magical number
yap test it as form of profiling and I should see this magic no isnt going to pose any issue to the TM DS unless support advice otherwise
ASKER
& will need to view the outputs of the scan results on-the-fly, I would
say 20-30 secs of scanning is the max they can wait before they got
frustrated.
So be it zip or non-zip files, I'm trying to work out what is this 'magic'
figure of the file sizing, above which the scan will take more than 20
secs