February 7th, 2012, 05:11 AM
Scanning with Change/Modified and/or Retrieved setting?
Will someone help me to clarify the difference between an AV clients behavior when it comes to the way a scan of a file is introduced.
I and a colleague have a hefty discussion about how to define what is what.
Trend Micro uses the terminology “Change/Modified” and “Change/Modified and Retrieved” when it comes to Real Time Scanning of a computer.
My definition of the terminology is that when a computer has a setting with both “Change/Modified” and Retrieved” it scans in both directions. That is, it scans a file that is written to disk (change/modify) as well when it is read from disk (retrieved).
My colleague won’t agree on the latter part. He promptly says that the file have to be opened before a scan takes part (like it have been opened in a text editor for example) on the scanned computer. I say that it only have to be read from disk (like copied to another place). To be honest it won’t matter because it’s the same thing I believe.
My opinion is that read or open is no difference. It’s the same thing. If one copies or read a file from a file server to a client it reads the file from the server and write or display it on the client. If the settings on the server are “Change/Modified and Retrieved” the file will be scanned on the server because the file is opened for read to the client.
If the client has the same setting it also will be scanned when and if it writes on the client’s disk because that involves a “Change/Modify”.
My conclusion is that on a server with a lot of read sessions all the time it will be a considerable overhead to have both write and read scans enabled concurrently. In such a case I recommend to have only write (change/modify) scanning activated and for read scanning (retrieve) I would prefer to schedule such a scan on nights on weekends.
Am I right in all the above or am I wrong?
That is one of the differences. The other is that some anti-virus programs (I know that Trend can do this) can offload the actual scanning of the files to the server so that the client doesn't have to do the work. This is good is you have a really high powered anti-virus server and a lot of older slow workstations so that they aren't effected by the CPU resources needed to scan the files.