Video Screencast Help

When to Load auto-Protect (In depth Question)

Created: 09 Jul 2013 | 2 comments
Car_Bed's picture

My question is pretty granular, and I would be interested to see if anyone has done a true in-house test to note any variance. We have two options for the AV policy to tell SEP when to load. When SEP starts, or When the computer starts. Outside of the obvious setting, has anyone done any in depth testing to see the variance. One ideal test might be to put something malicious on a system maybe netcat (Oldie, but just using as example) configured to phone home to a system. Kill the new real-time filter driver, so it’s truly not detected <just to get the test malware on your box>, and bounce the system. Have System 1 with loading auto-protect when the system starts, have system 2 loading auto-protect when SEP starts. See if there is a noticeable difference. Why?? because if this yields a ~seconds shave off boot time (changing it obviously to load when SEP starts) but allows a session if not more than a few seconds to be established, is it worth it?


Operating Systems:

Comments 2 CommentsJump to latest comment

ᗺrian's picture

Would be interesting to see the results.

Having it set to "Computer Starts" would seem to me that it would catch malware more quickly as opposed to when SEP starts. But I also think this settings main objective is for better performance of the system on boot.

Probably a more ideal test would be putting "malware" in the startup folder than testing. Something than can start automatically. I don't think SEP would catch a dormant copy of netcat (or some other malware) unless a scan was run. It would need to be active for autoprotect to trigger on.

According to the KBA:

For better system performance, set it to when SEP starts.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Car_Bed's picture

good thought, throw netcat in start up or throw a link in Run in the registry...Tell it to start, stopwatch it to see how fast the difference truely is