On access scan performance question: reading or writing?

  • Thread starter Thread starter Paul De Bie
  • Start date Start date
P

Paul De Bie

Hi all,

Using McAfee Enterprise 7.1 to protect our file servers.
Actually on access scanning is set to scan for virussen on reading and
writing files (only default file extensions; the "dangerous" files such as
dll, exe, ...)
I am considering to switch it off for the reading, because this results in
the same files being scanned thousands times a day.
I was thinking that a virus can only infect files when writing. So why not
only scan when writing? It would improve performance a lot.
What do you think? What are the risks?

TIA
--

Paul De Bie

Some Scientists claim that hydrogen, because it is so plentiful, is the
basic building block of the
universe. I dispute that. I say there is more stupidity than hydrogen, and
that is the basic
building block of the universe. (Frank Zappa)
 
Paul said:
Hi all,

Using McAfee Enterprise 7.1 to protect our file servers.
Actually on access scanning is set to scan for virussen on reading and
writing files (only default file extensions; the "dangerous" files such as
dll, exe, ...)
I am considering to switch it off for the reading, because this results in
the same files being scanned thousands times a day.
I was thinking that a virus can only infect files when writing. So why not
only scan when writing? It would improve performance a lot.
What do you think? What are the risks?
Click to expand...

There is a "walkthrough guide" available online that should give you
some ideas regarding this and some other good info regarding VS7/7.1.
See http://www.networkassociates.com/us/products/mcafee/product_lit.htm
(VirusScan Enterprise 7.0 - A Technical Walkthrough).

Basically, it depends on how much risk you are prepared to accept. Are
you sure that you will have updated defs on your machines before you get
them infected with something? How often do you do on-demand scans across
your servers? What happens when you access an infected file on a remote
machine that is infected and doesn't have up-to-date protection?

I thought 7.0 used caching so that once a file is scanned, it doesn't
get scanned again, unless it changes or the defs are updated (not
entirely sure about this though, it might only be for on-demand scans or
something). You can also used "Low risk" processes and put certain
processes into it that are low risk...
 
Hi,

thanks for your ideas.
Meanwhile I found what I was looking for in some knowledgebase document from
NAI.

They recommend to scan on reading too, because "reading" means also
"executing" a file.
So if you scan on "reading", and you launch an exe or dll that contains a
virus, the virus will be intercepted immediately and it can't do any of its
work.

But if you scan only on writing, the virus will execute, and immeditately
try to perform its payload: infecting files, changing the registry, spread
around network shares and so on. Of course, you antivirus will intercept all
that activity because it will almost always be some "writing", but this
could very well be a whole series of antivirus-alarms and events that you
have to deal with.

In fact, I should try it out one a standalone PC once, just to see what
happens <g>

Paul
 
Paul said:
But if you scan only on writing, the virus will execute, and immeditately
try to perform its payload: infecting files, changing the registry, spread
around network shares and so on. Of course, you antivirus will intercept all
that activity because it will almost always be some "writing", but this
could very well be a whole series of antivirus-alarms and events that you
have to deal with.
Click to expand...

No, it will not intercept all of that activity, only when the virus
tries to replicate itself (and the pattern the av-scanner recognizes)
into other files.
 
Back
Top