Endpoint Protection

Is there a difference between what Auto-Protect looks for and what a regular Full Scan looks for in terms of threats?  Like if SEP has 1,000,000 virus signatures, then does autoprotect and full scan always do their work based on these 1,000,000 signatures or is AutoProtect less functional? 

I imagine Auto-Protect should catch anything a Full Scan woulld, the only difference being that Auto-Protect only scans stuff that is active in memory + some common system areas on disk and Full Scan just scans everything period.  But is that the only difference? 

Signatures are same for all type of Scans..even for other Symantec products

Auto-Protect--Scans whenever a file is accessed or modified in memory Real TIme

Full Scan--WIll scan each file by starting with A to Z its not real time..Its manual or scheduled

Hi,

Auto-Protect scans all the system calls for accessing files and processes.

Autoprotect is the real time AV protection provided by SEP.

Since symantec AV engince can intercept all system level calls due to the injected DLLs in the kernel, every activity is monitored by the real-time protetion engine.

It has a database of virus signatures. when ever it is scanning a file, it looks for th presence of that particular string of virus code in that file.

If a match is found, then it checks the policies to determine the action that needs to be taken on that threat.

Regards,
Aniket

Full scan will scan all the files in your machine. It will  not be dependent on which file is being accessed or modified. It is going to scan all files against the database of the virus signatures. Hence it takes more time and processing power than auto-protect.

It will check your RAM as well. There is one more scan , called as a DefWatch scan.


Whenever SEP client will receive new definitions it can perform a scan. It will scan the files in the quarantine zone to see if any of the files scan be repaired with the help of the new definitions.

Aniket

Auto-Protect is the first line of defense against threats by providing real-time protection for your computer. Whenever you access, copy, save, move, open or close a file, Auto-Protect scans the file to ensure that a threat has not attached itself. By default, it loads when you start your computer to guard against threats and security risks. It also monitors your computer for any activity that might indicate the presence of a threat or security risk. Auto-Protect can determine a file's type even when a threat changes the file's extension.

Note: Auto-Protect does not function on Linux platforms, you must run a manual scan on those machines to detect threats.

Example: A threat changes a file's extension to one that is different from what you configured Auto-Protect to scan. When a threat, threat-like activity (an event that could be the work of a threat), or a security risk is detected, Auto-Protect alerts and takes the necessary steps to either clean, quarantine, delete or leave alone (log only) the detection of a threat depending upon the Actions configured for each detection type.


Types of Auto-Protect:

1. File System Auto-Protect: File System Auto-Protect is a type of ongoing or background scan that provides real-time protection for files on your computer. Whenever you access, copy, save, move, open, or close a file, Auto-Protect scans it to ensure that a threat or security risk is not present.
2. Internet Email Auto-Protect: Internet EMail Auto-Protect is a type of ongoing or background scan. This scan will check incoming as well as outgoing email. It provides real-time protection against attachments to internet email. Internet Email Auto-Protect supports encrypted passwords and email over POP3 and SMTP connections. If you use POP3 or SMTP with Secure Sockets Layer (SSL), then Auto-Protect detects secure connections but does not scan encrypted messages. Even though Auto-Protect does not scan the email that uses secure connections, it will continue to protect computers from risks in attachments. It scans email attachments when you save the attachment to the hard drive. If you use an email client other than Outlook or Outlook Express, it is recommended to have this enabled.
3. Notes Auto-Protect: Lotus Notes Auto-Protect is a type of ongoing or background scan. This type of Auto-Protect provides real-time protection against attachments to Lotus Notes email. This scan gives Lotus Notes users additional protection from threats sent by email. If you use Lotus Notes, it is recommended to have this enabled.
4. Outlook Auto-Protect: Outlook Auto-Protect is a type of ongoing or background scan. This scan gives Outlook and Outlook Express users additional protection from threats sent by email. If you use Outlook or Outlook Express, it is recommended to have this enabled.

How does Auto-Protect Mitigate Threats ?

1. 
   Clean risk: Auto Protect tries to clean the infected file when a threat is found.
2. Quarantine risk: It tries to move the infected file into Quarantine on the infected computer as soon as it is detected. When a file is in Quarantine, you cannot execute it until you move the file back to its original location.
3. Delete risk: Tries to delete the file. Use this option only if you can replace the infected file with a threat-free backup copy. After the file is permanently deleted, you cannot recover it from the Recycle Bin. If Auto-Protect cannot delete the file, detailed information about the action appears in the Notification dialog box and the client Event Log.
4. Leave alone (log only): Denies any access to the file, displays a notification, and logs the event. Use this option to take manual control of how Auto-Protect handles a threat.

Wheras,

I would like to know wether Full scan is executed under user privilege or system administrator privilege.

By default the AV engine use the system account previleges to scan all the files.

 

http://www.symantec.com/connect/videos/logging-machine-system-account

Aniket