Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 5549 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scheduled Scan: Necessary?

sophos_fan

I have a question - hope someone can answer and help clarify this:

How can Sophos' scheduled scan detect threats that are not detected/remediated by the realtime protection? In other words, why would someone turn on the scheduled scan feature if they already have realtime scanning set up?  If a threat signature gets added after a rogue application gets installed, realtime protection would identify it when the application is run (after the signature update) anyway. Are there any use cases from Sophos or from the enterprise endpoint security users related to this?

Thanks in advance.

:4564


This thread was automatically locked due to age.
  • 0

    Here are some points of interest concerning your question.

    1. Definition protection alone will not catch many threats now days (This protection is real time On-Access)
    2. HIPS protection will catch 85% or more of the threats that definition protection misses (This protection is real time On-Access)
    3. Malware today may install and run placing root kits and back doors on a system while getting around both of the above levels of protection. Examples of malware that gets installed and Sophos' definition protection alone sees only part of it can be found in scar ware like FakeAV.
    4. Having a scheduled scan provides endpoint health checks should something came through the real time protection. If something does get in and Sophos later knows how to see it a scheduled scan in many cases will pick up parts of what happened. This is because many malware writers do not spend time cleaning up after themselves. These parts found will not be in active memory so real time protection would not know about them. But once found you are alerted to what has happened on the endpoint you can investigate the issue. This is equally true of file shares on servers.

    I hope that this helps,

    Thanks,

    VCU 

    :4565
  • 0

    Thanks for your insight into this. It is true that the remnants of infection can potentially be detected and cleaned up by a scheduled scan. However, if they are unable to run in the memory or take actions to perform anything malicious (or non-malicious for that matter), those files are nothing more than the passive placeholders taking up few KBs of disk space. Forensically, there are possible benefits, as they can be used for investigative purposes etc.; but as a preventative control, does this really offer much value?

    I'm personally in favor of this, however I'm trying to come up with "enough" techincal reasons and arguments to support this -- with a goal to eventually convince the management!! 

    :4587
  • 0

    Todays malware is more about getting money then causing issues. If a root kit to collect data has passed through the real time definition or HIPS protection you may become aware of it through the scheduled scan reporting items found on the computer. The clean up process for the items found may show they are used to load other items or related to root kits you have seen in other places. I have seen this happen before, alerts come in of real time blocking of malware attacks that research showed were trying to install data collecting root kits. Parts of the same malware were found later in scheduled scans and when deeper research was done on those systems using root kit removal tools there were root kits found on the systems. 

    Many threats today are coming straight through the Internet with root kit technology being included in them. Sophos has added root kit scanning to their default scan settings but one would still need to include it into a scheduled scan manually.

    One such malware is this:

    http://www.sophos.com/security/analyses/viruses-and-spyware/trojtdl3mema.html

    :4607
  • 0

    Thanks again for your input. I infact have some additional questions regarding the Enterprise Console features -- will post them on a separate thread.

    :4698