Educause Security Discussion mailing list archives
Re: AV - Full scans or On Access Scans
From: "King, Ronald A." <raking () NSU EDU>
Date: Fri, 11 Apr 2008 15:20:42 -0400
Request: We are currently evaluating Sophos and Symantec Endpoint Protection. Has anyone performed such a comparison or used either? I would like to hear your take/opinion and maybe those "gotchas" that creep up during deployment. If you don't mind, please direct those directly to me. Thank you Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Email: raking () nsu edu http://security.nsu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew Sent: Thursday, April 10, 2008 8:48 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] AV - Full scans or On Access Scans What if a machine could be hibernated, restarted with the lightweight OS, scanned, and then brought back out of hibernate mode. I suppose you would still have to worry about network and/or computing activity being interrupted during that time, especially for servers. Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jimmy Kuo Sent: Thursday, April 10, 2008 6:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] AV - Full scans or On Access Scans Offline scanning should only be done on an on-demand basis. Someone at the machine must OK the action. One does not do a 2 o'clock reboot of a machine to be yelled at that a document they were working on was not saved, or that it was saved and overwrote the valid manuscript when it was not meant to be. So, then it becomes a management nightmare to have to go around to each machine to validate/OK the reboot. Jimmy ----- Original Message ----- From: "Di Fabio, Andrea" <adifabio () NSU EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Thursday, April 10, 2008 12:38 PM Subject: Re: [SECURITY] AV - Full scans or On Access Scans
Great thread, Has anyone talked to AV vendors about offline scanning? Newest
threats
such as rootkits and VM based malware are getting increasingly difficult to detect while the OS is running. I have been asking different AV companies about their plans to
implement
offline scanning where a PC would reboot, load a lightweight OS over
PXE,
complete a scan and then reboot from its local disk. So far, I have
been
unable to spark such interest in the AV companies. IMHO, automating and scheduling such process is something that AV companies should start looking at. Also, given the fact that more and more datacenters are deploying VM's as part of consolidation and green initiatives, a solution that could scan a VM image will also be beneficial. Andrea Di Fabio Information Security Officer High Performance Computing Technology Coordinator Norfolk State University Office of Information Technology Marie V. McDemmond Center for Applied Research, Rm 401F 555 Park Avenue, Suite 401 Norfolk, Virginia 23504 757-823-2896 Office 757-823-2128 Fax -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Thursday, April 10, 2008 2:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] AV - Full scans or On Access Scans On Wed, 09 Apr 2008 15:58:25 EDT, "David A. Batastini" said:I'm trying to get the pulse of what other educational institutions are doing when it comes to managing AV scans on endpoints. Do you schedule full system scans or do you rely on the
"on
Access" scans to detect malware? If you run full system scans: how often, and what time are they set to run? If you do not run full system scans, how do you mitigate the security risk of new malware ( malware that AV did not detect during the initial on access scan)?"An interesting game - the only way to win is not to play" -- War
Games
If merely checking for "Have I been hacked already?" is itself taking enough resources to cause problems, perhaps you're starting off with the
wrong
computing platform. There *are* options... Just sayin'. :)
Attachment:
smime.p7s
Description:
Current thread:
- Re: AV - Full scans or On Access Scans, (continued)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans Eric Case (Apr 10)
- Re: AV - Full scans or On Access Scans Basgen, Brian (Apr 10)
- Re: AV - Full scans or On Access Scans Valdis Kletnieks (Apr 10)
- Re: AV - Full scans or On Access Scans Di Fabio, Andrea (Apr 10)
- Re: AV - Full scans or On Access Scans Gary Flynn (Apr 10)
- Re: AV - Full scans or On Access Scans Halliday,Paul (Apr 10)
- Re: AV - Full scans or On Access Scans Jimmy Kuo (Apr 10)
- Re: AV - Full scans or On Access Scans Jenkins, Matthew (Apr 10)
- Re: AV - Full scans or On Access Scans I. W. Woodle (Apr 11)
- Re: AV - Full scans or On Access Scans King, Ronald A. (Apr 11)
- Re: AV - Full scans or On Access Scans Koerber, Jeff (Apr 17)