Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 5551 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scheduled Scan: Necessary?

sophos_fan

I have a question - hope someone can answer and help clarify this:

How can Sophos' scheduled scan detect threats that are not detected/remediated by the realtime protection? In other words, why would someone turn on the scheduled scan feature if they already have realtime scanning set up?  If a threat signature gets added after a rogue application gets installed, realtime protection would identify it when the application is run (after the signature update) anyway. Are there any use cases from Sophos or from the enterprise endpoint security users related to this?

Thanks in advance.

:4564


This thread was automatically locked due to age.
Parents
  • 0

    Here are some points of interest concerning your question.

    1. Definition protection alone will not catch many threats now days (This protection is real time On-Access)
    2. HIPS protection will catch 85% or more of the threats that definition protection misses (This protection is real time On-Access)
    3. Malware today may install and run placing root kits and back doors on a system while getting around both of the above levels of protection. Examples of malware that gets installed and Sophos' definition protection alone sees only part of it can be found in scar ware like FakeAV.
    4. Having a scheduled scan provides endpoint health checks should something came through the real time protection. If something does get in and Sophos later knows how to see it a scheduled scan in many cases will pick up parts of what happened. This is because many malware writers do not spend time cleaning up after themselves. These parts found will not be in active memory so real time protection would not know about them. But once found you are alerted to what has happened on the endpoint you can investigate the issue. This is equally true of file shares on servers.

    I hope that this helps,

    Thanks,

    VCU 

    :4565
Reply
  • 0

    Here are some points of interest concerning your question.

    1. Definition protection alone will not catch many threats now days (This protection is real time On-Access)
    2. HIPS protection will catch 85% or more of the threats that definition protection misses (This protection is real time On-Access)
    3. Malware today may install and run placing root kits and back doors on a system while getting around both of the above levels of protection. Examples of malware that gets installed and Sophos' definition protection alone sees only part of it can be found in scar ware like FakeAV.
    4. Having a scheduled scan provides endpoint health checks should something came through the real time protection. If something does get in and Sophos later knows how to see it a scheduled scan in many cases will pick up parts of what happened. This is because many malware writers do not spend time cleaning up after themselves. These parts found will not be in active memory so real time protection would not know about them. But once found you are alerted to what has happened on the endpoint you can investigate the issue. This is equally true of file shares on servers.

    I hope that this helps,

    Thanks,

    VCU 

    :4565
Children
No Data