Downloaded Files

Hello rmgraci ,

you can neither exclude everything but (although you could write exclusion for everything else) nor specify only include. "Downloaded" content can "pass through" end end up in various places. Why do I need to scan a bunch of files I access every day ? A drive-by attack could alter files without you downloading anything. More likely some not-yet-detected downloaded threat could download to and make alterations in various places. As attacks are often layered the additional stuff might already be known as malicious. Admittedly a custom scan will find it - but only later and perhaps too late.

There's an old short thread about scheduling scans here.

HTH

Christian

There's also another thread (don't remember the link right now, but a quick search should find it) where I address this exact issue, and show how to use applescript and folder actions to auto scan the download folder only when new items show up in it.  The same script can be applied against your mail folder, and anywhere else where new files would show up.

Also worth noting that on-access caches results -- so theoretically, if nothing has changed with a file when you're accessing it, it won't be re-scanned; only changed accessed files should be re-scanned.

Setting up a crontab is easy enough, and a folder action is a good idea.  I'm curious then - what happens when I turn off the On-Access Scanning?  I imagine that On-Access Scanning works via some kind of kernel hook that activates when a file is accessed.  If the On-Access Scanning is turned off, then is the hook uninstalled / disabled completely (as if Sophos was not there), or is it still running some code every time a file is opened (and then checking a config param, and deciding not to run the scanner)?

Additionally, is there any kind of performance information available on speed of the on-access scanner?  I'd like to know the difference between fopen performance in the following scenarios:

* scanner used

* scanner turned off

* Sophos not installed at all

I would guess you guys are running these kinds of tests now; what're the results like?

Thanks!

I'll leave it up to other forum users to provide unbiased results of the scanner tests, but I'll provide some feedback on the other questions :)

The on-access scanning "hook" is actually a "subscription" to kernel broadcasts -- as such, the OS is handling the information dispatch, not the AV software.  As a result, there should be no performance change as a result of having this installed or not (things happen, so I can't guarantee this in all cases).  With on-access disabled, the link to the dispatch is broken, so no additional code should be run -- but the software itself is still installed and loaded.  On-access also does intelligent caching, so if a file has not changed since the last on-access scan, the first thing checked when the scanner receives a file activity notification is whether the file has changed state; and if it hasn't, it won't re-scan.

So, the short answer is: you will still have on-access code loaded at system boot and user login, but the on-access portion should be completely dormant.

Please share your results between fopen performance in the scenarios listed, including OS, hardware specs, SAV product and engine version -- and hopefully others will share theirs as well.