Endpoint Protection

Can anyone recommend a Symantec or third party document that outlines best practices for schedules of anti-virus scans on desktops/laptops?  I have my own ideas, such as an active scan at least three times per day and/or upon a definition update, coupled with a weekly full scan after hours.

But since AV is a frequent computer performance boogeyman I need some outside information to back me up.  Symantec or others can you provide some recommendations?  If Symantec doesn't have a published document on this (I found a KB article that only generally recommends frequent after-hours scans) I'd be happy with a posting outlines best practice.

- Bill

This one really depends on Company to Company - Person to Person
Some need Security and some need Performance and majority need a combination of both.

The risk of Clients getting infected by threat are more than servers.
So Clients should be scanned daily. ( Full Scan )
Server are touched the least so Weekly Full Scan with daily active Scan should be enough.

Desktop and Laptops fall in same category so it doesn't matter if they are desktop or laptop.
However for Laptops Liveupdate policy should be such that even if they don't connect to SEPM they should be updated with definitions at the time of scan.
 

Decide if you need performance or max protecion

Symantec Endpoint Protection Client configuration changes for performance optimization

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007102311173048

Best Practice for Symantec Endpoint Protection Scheduled Scans

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009090206565248
 

How many computer administrators do you have?  I'd ask them to give you times when scans are acceptable.
Do you have power management in place?  If so, can the machines be woken up to scan or are the electricity savings more important to your executives then productivity?
You'll have to answer a lot of questions before you'll even begin to realize what times you scan, and you have to balance all sorts of factors. 

I will say, that for most of our users, the weekly scans at Noon on Mondays seem to be acceptable with active scans to fill in at startup and during the week.

* I mentioned "desktops/laptops" in my post to specify schedule scan practices on clients rather than servers (since I grant that server policy is going to vary widely depending upon function and may not use scheduled scans at all).
Here is so additional detail:

We are a professional services organization of > 1000 clients.  We do utilize WoL to perform a weekly maintenance process that includes a SEP scan, but it (like the other scheduled scans) are configured with the Retry flag turned off (so the scan won't run if they take their laptop home every day).

I have a decent amount of experience in security matters, and in my humble opnion some daytime active scans are a security necessity.  But client optimal performance is a major concern here and I'm looking for outside resources that bolster my stance that turning them all off (for example) is A Really Bad Idea.
.

Our scheduled scans locate viruses on our computers for which the real time did not detect.   Our real time does not do as intensive of a scan as the scheduled scan. 

An example of this is a Java virus in a JAR file located in the Internet Explorer temporary folder.   Another would be a PDF in the same folder.

The real time did not detect it because it is not in the detection at the time of download.   The only thing that found it was the scheduled scan, after a pattern file update which now detects the virus.

So one takes a look at the PC in question.  Did it have the version of Java which that virus required for elevation?  Did the client have the latest Adobe Reader patch?    Did it get infected?

Some viruses we have monitored have installed things such as WinProxy, or VNC.  Legitimate 3rd party software.    Even after antivirus cleans up the infection, back doors may be left on the previously infected computer.   Usually, we grab any data from the PC, nuke it and the users roaming profile, and rebuilt them.   The real time scans are critical to locate these PC's needing cleaned up. 

Anyway, that's my opinion.

Our scheduled scans locate viruses on our computers for which the real time did not detect.   Our real time does not do as intensive of a scan as the scheduled scan. 

An example of this is a Java virus in a JAR file located in the Internet Explorer temporary folder.   Another would be a PDF in the same folder.

The real time did not detect it because it is not in the detection at the time of download.   The only thing that found it was the scheduled scan, after a pattern file update which now detects the virus.

So one takes a look at the PC in question.  Did it have the version of Java which that virus required for elevation?  Did the client have the latest Adobe Reader patch?    Did it get infected?

Some viruses we have monitored have installed things such as WinProxy, or VNC.  Legitimate 3rd party software.    Even after antivirus cleans up the infection, back doors may be left on the previously infected computer.   Usually, we grab any data from the PC, nuke it and the users roaming profile, and rebuilt them.   The real time scans are critical to locate these PC's needing cleaned up. 

Anyway, that's my opinion.

 Real time scan is different from Active Scan.
Active Scan ( Quick Scan ) is a scan on demand which scans common load points ( it can scan upto 8 level deep) that is it can catch a virus in a zip file however real time scan can't, as it scans only file that is accessed or modified.

For laptops who go out of network needs to be scanned before they connect to your production environment. 

As you cannot guarantee if it has been compromised outside your network.

So best security measure in this case would be simple.
Put all laptops in one group and enable Missed Schedule Scan on the laptop group only.