sunhux
asked on
Benefit of running scheduled manual AV scan on top of existing realtime/on-access AV scans
Over the years, I've heard scheduled scans being run on laptops (& servers as well)
though realtime/on-access scan (ie detection/scan of newly created/uploaded or
modified/updated files instantaneously) is in place.
Does such scheduled scan (usually almost all files/folders in the server) provide
any additional benefit considering realtime scans would have scanned & cleaned
away infected files earlier as it's instantaneous?
I've noticed at a couple of sites that the scheduled scans run during lunch hours
& this slows down laptops of users who work during lunch hours, so there's
this disbenefit of running scheduled scan
though realtime/on-access scan (ie detection/scan of newly created/uploaded or
modified/updated files instantaneously) is in place.
Does such scheduled scan (usually almost all files/folders in the server) provide
any additional benefit considering realtime scans would have scanned & cleaned
away infected files earlier as it's instantaneous?
I've noticed at a couple of sites that the scheduled scans run during lunch hours
& this slows down laptops of users who work during lunch hours, so there's
this disbenefit of running scheduled scan
ASKER
Q5:
Any possibility that realtime scan may not uncover malwares resident
in memory while a full scan will detect malwares resident in memory
(which has yet got written to disks) ? In particular, I'm referring to
Trendmicro's Deep Security antimalware
Q6:
What about encrypted files (that contains infection/malware) that
have just been decrypted : will realtime scan detect such decrypted
file?
Q7:
Certain file extension such as .mdb & .lck (lock files) & .srt (sort files)
are excluded from realtime scan universally. So is it a good practice
then the scheduled scans should scan such file extensions or still
exclude them so as not to create issues to apps?
Q8:
Any differences in the way realtime & scheduled scans lock files &
folders?
Any possibility that realtime scan may not uncover malwares resident
in memory while a full scan will detect malwares resident in memory
(which has yet got written to disks) ? In particular, I'm referring to
Trendmicro's Deep Security antimalware
Q6:
What about encrypted files (that contains infection/malware) that
have just been decrypted : will realtime scan detect such decrypted
file?
Q7:
Certain file extension such as .mdb & .lck (lock files) & .srt (sort files)
are excluded from realtime scan universally. So is it a good practice
then the scheduled scans should scan such file extensions or still
exclude them so as not to create issues to apps?
Q8:
Any differences in the way realtime & scheduled scans lock files &
folders?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
One question that I don't have a good justification is:
why doesn't the Scheduled scan only scans folders that
are excluded from realtime scan? In many places, the
Scheduled scan is set to scan almost entire server (plus
a few folders to exclude only) : this includes laptop &
desktop AV scheduled scans : or all those sites are not
adopting optimal practice of doing scheduled scan on
'excluded' folders only?
why doesn't the Scheduled scan only scans folders that
are excluded from realtime scan? In many places, the
Scheduled scan is set to scan almost entire server (plus
a few folders to exclude only) : this includes laptop &
desktop AV scheduled scans : or all those sites are not
adopting optimal practice of doing scheduled scan on
'excluded' folders only?
During scheduled scan, will real time be disabled? It will not as the machin still need protection.
During scheduled scan, you can still opt to do the scan for specific exclusion like big files and folder with many child folders etc. It need not be the whole system scan, but is that recommended in general?
It is up to company practices and time allow for such scan as the period to perform such may differs for lunch or evening period. Operationally different config on scheduled scan complicate and subjected to erroneous config if not managed well. But as a whole, the assurance for sanity scan of whole system can only be concluded to best if scheduled scan without error and exception cases can ascertain as compared to real time access scan. The objective is different. Compliance looks at both scan in different light. E.g. Scheduled for overall system posture in compliance with signed off completed reports in audit and real time scan for continuous access check on demand for machine hardening regime.
During scheduled scan, you can still opt to do the scan for specific exclusion like big files and folder with many child folders etc. It need not be the whole system scan, but is that recommended in general?
It is up to company practices and time allow for such scan as the period to perform such may differs for lunch or evening period. Operationally different config on scheduled scan complicate and subjected to erroneous config if not managed well. But as a whole, the assurance for sanity scan of whole system can only be concluded to best if scheduled scan without error and exception cases can ascertain as compared to real time access scan. The objective is different. Compliance looks at both scan in different light. E.g. Scheduled for overall system posture in compliance with signed off completed reports in audit and real time scan for continuous access check on demand for machine hardening regime.
ASKER
The compliance signoff sounds like a reasonable justification.
My vendor can't answer my question below:
suppose during a period when realtime scan is down (say during maintenance
or in single-user mode for Linux), an infected file was introduced into the
system (& assuming the date/time stamp of this infected file is a date prior
to or during the maintenance timing), when the realtime AV scan resume
functioning again, will it detect this infected file or it will go undetected due
to its creation/modified date/time was earlier?
If realtime scan tracks for new/changed files by date/time instead of changes to
files index (ie files that were just reflected in the index), then this is one possible
cracks that realtime scan will miss which will be caught by scheduled scan
My vendor can't answer my question below:
suppose during a period when realtime scan is down (say during maintenance
or in single-user mode for Linux), an infected file was introduced into the
system (& assuming the date/time stamp of this infected file is a date prior
to or during the maintenance timing), when the realtime AV scan resume
functioning again, will it detect this infected file or it will go undetected due
to its creation/modified date/time was earlier?
If realtime scan tracks for new/changed files by date/time instead of changes to
files index (ie files that were just reflected in the index), then this is one possible
cracks that realtime scan will miss which will be caught by scheduled scan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Note:
- Perform a full manual scan on a server prior to running the actual backup task.
- We recommend that weekly scheduled scans are performed on all protected machines....
Which references or Trendmicro docs were the above statement extracted from?
Need to use them to support
- Perform a full manual scan on a server prior to running the actual backup task.
- We recommend that weekly scheduled scans are performed on all protected machines....
Which references or Trendmicro docs were the above statement extracted from?
Need to use them to support
From the trend micro best practice guide in the pdf link that I shared in prev post.
Hello,
Before I proceed with a post which is in relation to your question(s) and topic (which hopefully will be found useful by either yourself or someone else at some point in time), I shall note that I used to be a developer for Anti-Virus security software which I owned.
When you are using a security product for real-time protection, there is no guarantee that every single piece of malicious software (also referred to as "malware" - this includes but is not limited to viruses, worms, spyware, rootkits) will be detected by that security vendor. The reason for this is because every vendor (company) may have different methods of analysing the files, such as: different databases for the signatures used in the scanning (methods such as MD5, SHA-1, SHA-256 for simple hash checksum detection) and heuristic detection. Some Anti-Virus products include the same detection methods, however they will not be 100% the same since they will be made by their own company; some vendors even use other vendors engines (however they would be licensed and given permission to do so - even then the detection may not be the same for all files).
If you have an on-demand scanner which is scheduled to automatically scan, regardless of your real-time protection from your existing Anti-Virus, you'll give the other vendor a chance to shine its technology onto your system and see if it can pick up any threats which your existing and main Anti-Virus product (in which real-time protection is from) did not pick up.
You should never rely on one security software alone; there are thousands of new malware samples released out into the wild every week, its simply impossible for one vendor to stay up to date with them all (note that they have to manually hunt down the samples unless they are sent them in the sample submissions and it also takes time for them to analyse the samples to determine the information for the database updates). Each companies' products can react differently depending on the situation, and has different strengths (one product may be very good with detecting threats based on heuristics or have very good signature updates, however the other product may not be so good with detection but amazing with cleaning infections which are detected). It's always best to use multiple products to get second opinions - without that being said, I do not recommend using more than one product for real-time protection unless it's necessary (and if you do use another product alongside your existing Anti-Virus for real-time protection, I recommend it to be Anti-Malware since they are designed to be compatible and ran alongside existing Anti-Virus software).
If you are considering on-demand scanning, I recommend using two alongside your existing and main Anti-Virus/Internet Security software. This will help ensure detection of threats which your main security solution failed to detect. The two scanners I recommend would be: Malwarebytes Anti-Malware (free) and HitmanPro. You do not need the professional version of Malwarebytes; this includes real-time protection which isn't required, the on-demand scanner is free and more than enough. HitmanPro is paid (trial available and scanning is free, for removal it will require the license) - however it incorporates both the Bitdefender and Kaspersky engine to help with detection. They are very popular products, and have proven to be effective with detecting and cleaning existing infections.
NOTE: Anti-Malware security software is designed to be compatible to be ran alongside your existing security and to detect threats your main Anti-Virus may miss. Using multiple Anti-Virus software may do more bad than good, since they aren't specifically designed to be compatible and can result in even locking up your system or them interfering with each other, preventing one from working properly. Make sure to work with Anti-Malware software alongside your existing Anti-Virus product, NOT multiple Anti-Virus software. Below I have made a list of different Anti-Malware software:
False Positive detections are always possible. Just because your Anti-Virus/Other scanners detect an object does not necessarily mean that it's really malware - it could always be a mistake detection. This could usually be due to "generic detection" (explained at the end of this post). However, that does not mean you should ignore detections, since this can be a very risky way of dealing with things. Should you ever be unsure of a detection, consult an expert who really knows what they are doing.
--------------------------
Before I end this post, I will quickly dust up some theory on signatures and heuristics (since I've mentioned them previously in this post and some people may not know what I am even talking about):
Every single file has something known as a "hash checksum". There are different types of hashes, some common ones are: MD5, SHA-1 and SHA-256. MD5 is less secure than SHA-1 and SHA-256, however SHA-256 is mostly favoured in the Anti-Virus industry for signatures when it comes to checksum detection. The way this sort of detection works is by using a database full of these hashes. When the Anti-Virus product scans the file, it will obtain its checksum hash and compare it to the hashes in the database. If a match is found, then a detection is made since it would be seen as a threat. These sort of databases require the company to have analysts manually add the hashes and send out updates - this usually means that the company have a team of analysts who perform analysis on the files they hunt down, and if they are found to be malicious then they add the hash to the database and send out an update which the end-user will receive automatically (usually).
Other types of signature detection can include HEX scanning. This is much different to hash checksum scanning - this will allow the product to detect threats based on the actual contents of the file. For example, if there was malicious software which had a specific pattern inside of it (for the purpose of this post, lets say the pattern was "hello_i_am_a_virus"), it means any other file with the same pattern can be detected as a threat. This can cause false positive detections, however its very widely used and is known as "generic detection". It allows millions of threats to be detected which haven't even been seen by the companies/wild yet, keeping millions of people protected from zero-day threats. However, it can be evaded by more advanced malware with techniques such as packing/obfuscation or through manual modifications of the bytes in the malware samples by the malware writers. Generic detection can actually be included as "heuristics", however it also works with a database. The HEX patterns are built up and calculated based on the bytes inside of the actual file.
Other heuristic methods of detecting malware could include scanning which libraries and functions are imported in the PE (Portable Executable) to determine what actions the program may carry out, entropy level (to determine if its packed or not) and checking the PE Header.
I am aware I went a bit off topic to on-demand scanners and moved into some other things (I did try to keep it short for this post), if you are interested and would like to learn more/have any questions, feel free to let me know and I'll happily answer to the best I can.
Hopefully this helped,
Cheers.
Before I proceed with a post which is in relation to your question(s) and topic (which hopefully will be found useful by either yourself or someone else at some point in time), I shall note that I used to be a developer for Anti-Virus security software which I owned.
When you are using a security product for real-time protection, there is no guarantee that every single piece of malicious software (also referred to as "malware" - this includes but is not limited to viruses, worms, spyware, rootkits) will be detected by that security vendor. The reason for this is because every vendor (company) may have different methods of analysing the files, such as: different databases for the signatures used in the scanning (methods such as MD5, SHA-1, SHA-256 for simple hash checksum detection) and heuristic detection. Some Anti-Virus products include the same detection methods, however they will not be 100% the same since they will be made by their own company; some vendors even use other vendors engines (however they would be licensed and given permission to do so - even then the detection may not be the same for all files).
If you have an on-demand scanner which is scheduled to automatically scan, regardless of your real-time protection from your existing Anti-Virus, you'll give the other vendor a chance to shine its technology onto your system and see if it can pick up any threats which your existing and main Anti-Virus product (in which real-time protection is from) did not pick up.
You should never rely on one security software alone; there are thousands of new malware samples released out into the wild every week, its simply impossible for one vendor to stay up to date with them all (note that they have to manually hunt down the samples unless they are sent them in the sample submissions and it also takes time for them to analyse the samples to determine the information for the database updates). Each companies' products can react differently depending on the situation, and has different strengths (one product may be very good with detecting threats based on heuristics or have very good signature updates, however the other product may not be so good with detection but amazing with cleaning infections which are detected). It's always best to use multiple products to get second opinions - without that being said, I do not recommend using more than one product for real-time protection unless it's necessary (and if you do use another product alongside your existing Anti-Virus for real-time protection, I recommend it to be Anti-Malware since they are designed to be compatible and ran alongside existing Anti-Virus software).
If you are considering on-demand scanning, I recommend using two alongside your existing and main Anti-Virus/Internet Security software. This will help ensure detection of threats which your main security solution failed to detect. The two scanners I recommend would be: Malwarebytes Anti-Malware (free) and HitmanPro. You do not need the professional version of Malwarebytes; this includes real-time protection which isn't required, the on-demand scanner is free and more than enough. HitmanPro is paid (trial available and scanning is free, for removal it will require the license) - however it incorporates both the Bitdefender and Kaspersky engine to help with detection. They are very popular products, and have proven to be effective with detecting and cleaning existing infections.
NOTE: Anti-Malware security software is designed to be compatible to be ran alongside your existing security and to detect threats your main Anti-Virus may miss. Using multiple Anti-Virus software may do more bad than good, since they aren't specifically designed to be compatible and can result in even locking up your system or them interfering with each other, preventing one from working properly. Make sure to work with Anti-Malware software alongside your existing Anti-Virus product, NOT multiple Anti-Virus software. Below I have made a list of different Anti-Malware software:
False Positive detections are always possible. Just because your Anti-Virus/Other scanners detect an object does not necessarily mean that it's really malware - it could always be a mistake detection. This could usually be due to "generic detection" (explained at the end of this post). However, that does not mean you should ignore detections, since this can be a very risky way of dealing with things. Should you ever be unsure of a detection, consult an expert who really knows what they are doing.
--------------------------
Before I end this post, I will quickly dust up some theory on signatures and heuristics (since I've mentioned them previously in this post and some people may not know what I am even talking about):
Every single file has something known as a "hash checksum". There are different types of hashes, some common ones are: MD5, SHA-1 and SHA-256. MD5 is less secure than SHA-1 and SHA-256, however SHA-256 is mostly favoured in the Anti-Virus industry for signatures when it comes to checksum detection. The way this sort of detection works is by using a database full of these hashes. When the Anti-Virus product scans the file, it will obtain its checksum hash and compare it to the hashes in the database. If a match is found, then a detection is made since it would be seen as a threat. These sort of databases require the company to have analysts manually add the hashes and send out updates - this usually means that the company have a team of analysts who perform analysis on the files they hunt down, and if they are found to be malicious then they add the hash to the database and send out an update which the end-user will receive automatically (usually).
Other types of signature detection can include HEX scanning. This is much different to hash checksum scanning - this will allow the product to detect threats based on the actual contents of the file. For example, if there was malicious software which had a specific pattern inside of it (for the purpose of this post, lets say the pattern was "hello_i_am_a_virus"), it means any other file with the same pattern can be detected as a threat. This can cause false positive detections, however its very widely used and is known as "generic detection". It allows millions of threats to be detected which haven't even been seen by the companies/wild yet, keeping millions of people protected from zero-day threats. However, it can be evaded by more advanced malware with techniques such as packing/obfuscation or through manual modifications of the bytes in the malware samples by the malware writers. Generic detection can actually be included as "heuristics", however it also works with a database. The HEX patterns are built up and calculated based on the bytes inside of the actual file.
Other heuristic methods of detecting malware could include scanning which libraries and functions are imported in the PE (Portable Executable) to determine what actions the program may carry out, entropy level (to determine if its packed or not) and checking the PE Header.
I am aware I went a bit off topic to on-demand scanners and moved into some other things (I did try to keep it short for this post), if you are interested and would like to learn more/have any questions, feel free to let me know and I'll happily answer to the best I can.
Hopefully this helped,
Cheers.
ASKER
https://support.microsoft.com/en-us/kb/822158
Refer to above links, I just thought of one such benefit/justification to run
scheduled manual scans:
a) folders of certain apps, eg: Sharepoint where files get uploaded/created
are recommended to be excluded from realtime scan to prevent
'access error'. As these uploaded files are not scanned by realtime scan,
they pose potential risks as they can be infected
b) thus, it's good to supplement with scheduled scans to scan such folders
during off-peak hours where files are not being uploaded/created into
such folders (one other example are ftp & sftp servers' upload folders
which I've heard about)
Q2 (Q1 is the 1st posting):
Is the above a valid reason/benefit for scheduled AV scans?
Q3:
Any other benefit/purpose for running scheduled scans?
Q4:
Next question:
If the above being the case, then should the scheduled scans be targeted
to scan those folders excluded from realtime scans only? In many sites,
they still scan the entire server (at off-peak hours), why is that so?
Let me guess:
if an infected file in one of the 'realtime excluded' folder were to be moved
to other folders which are also excluded by realtime scan, this infected file
won't be detected so it's best to scan entire server? Doesn't sound like a
good reason or does it?
Or is there any other reasons like new folders will get created, thus a full
scan that automatically will cover all new folders (& realtime is not set to
auto scan new folders) is needed??
Feel free to brainstorm & appreciate any views