Welcome to SecurityForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

On-Access scanning

  
   Security Forums (Home) -> General Discussions RSS
Next:  NOD site down?  
Author Message
eezee

External


Since: Mar 17, 2005
Posts: 2



(Msg. 1) Posted: Thu Mar 17, 2005 4:26 pm
Post subject: On-Access scanning
Archived from groups: alt>comp>anti-virus (more info?)
We are in the process of deploying an FTP server and I have
been asked to look into this issue.

We need to know that if someone deposits a file with a virus
on our system, using either FTP or a local copy, that our McAfee
virus scanner will pick it up _before_ it is possible for any other
process (e.g. FTP) to even see the file.

I know that 'on-access' means that the scan is triggered by the
disk driver operations, but the question is which ones, and can
we guarantee that we won't have a partially scanned file on our
system that could be seen by another process before the on-access
scan is complete.


Hope this makes sense, and thanks for your help.

 >> Stay informed about: On-Access scanning 
Back to top
Login to vote
David W. Hodgins

External


Since: Jun 27, 2004
Posts: 2



(Msg. 2) Posted: Thu Mar 17, 2005 8:52 pm
Post subject: Re: On-Access scanning [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Thu, 17 Mar 2005 11:26:02 -0500, eezee <not RemoveThis @home.now> wrote:

> We are in the process of deploying an FTP server and I have
> been asked to look into this issue.
> I know that 'on-access' means that the scan is triggered by the
> disk driver operations, but the question is which ones, and can
> we guarantee that we won't have a partially scanned file on our
> system that could be seen by another process before the on-access
> scan is complete.

On access scanning usually only scans existing files that are being
opened for read, or read-write access. To prevent the creation of
an infected files, some scanners have "on close" scanning, to auto
delete an infected file, that has just been created.

The problem you're most likely to encounter with an on access
scanner, is the ftp server hanging, when it tries to access an
infected file, and is prevented by the av software.

What is appropriate depends a lot on who will have upload access,
and the download audience.

If untrusted users will have upload access, I recommend having all
uploaded files put into a directory that is not accessible for download,
with a script that runs the av scanner on demand, before moving the
file to a directory accessible for download. Don't forget about the
day 0 problem, where a new virus is not recognized by the scanner.
Periodic scanning of the download directory should be used to remove
newly detectable viruses.

Regards, Dave Hodgins

--
Change nomail.afraid.org to rogers.com to reply by email.
(nomail.afraid.org has been set up specfically for
use in usenet. Feel free to use it yourself.)

 >> Stay informed about: On-Access scanning 
Back to top
Login to vote
eezee

External


Since: Mar 17, 2005
Posts: 2



(Msg. 3) Posted: Fri Mar 18, 2005 11:58 am
Post subject: Re: On-Access scanning [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
"David W. Hodgins" <dhodgins.RemoveThis@nomail.afraid.org> wrote in message
news:op.sns8t9vqp486h8@localhost...
> If untrusted users will have upload access, I recommend having all
> uploaded files put into a directory that is not accessible for download,
> with a script that runs the av scanner on demand, before moving the
> file to a directory accessible for download. Don't forget about the
> day 0 problem, where a new virus is not recognized by the scanner.
> Periodic scanning of the download directory should be used to remove
> newly detectable viruses.

This is pretty close to what I have been thinking about. We will have
separate 'get' and 'put' folders. I wasn't sure if I would need to run a
'manual' scan on the files, or if I could just rely on 'On-Access' to do
everything for me.

Maybe I'll design it in as an option.
 >> Stay informed about: On-Access scanning 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
On-access scanning running very slow with new version of S.. - I had been using Sophos under Win2K SP4 by downloading a new version every three months and keeping the IDE files up to date. With their new software, it updates the IDE and the executable whenever new stuff comes out. That part is great! But the UI i...

On-access scanning running very slow with new version of S.. - I had been using Sophos under Win2K SP4 by downloading a new version every three months and keeping the IDE files up to date. With their new software, it updates the IDE and the executable whenever new stuff comes out. That part is great! But the UI i...

A virus I can't access - Hi, This morning my AVG (which is all uptodate, I have it update everyday) said I have a virus in C:\System Volume Information\restore followed by a very long number and letter sequence which I can include as I wrote it down if anyone needs it. I did a...

Disk access ??? - Are there any virus's out there that disable Floppy and CD access. Cant get to any of them unless I boot with disk in drive (cd only) otherwise all I get is "Incorrect Function". And yes I have tried the reg fix posted by Msoft as well as uni...

Help for someone with Internet access - I have a friend that has asked me to help her out and can't find a good solution through an internet search. She used a computer disk that has infected her hard drive but has not been using an anti-virus because she doesn't have internet access to updat...
   Security Forums (Home) -> General Discussions All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]