Endpoint Protection

 View Only
Expand all | Collapse all

Too many files to scan, Too little time

  • 1.  Too many files to scan, Too little time

    Posted Nov 10, 2010 08:09 PM

    Looking for some ideas about scheduled scans on servers.

    SEP v11.0.6005.562, Anti-Virus/Anti-Spyware, No PTP, NTP with FW policy withdrawn, IPS enabled

    Have placed small test group of 5 servers (win2003 & 2008) in weekly 3AM scan group

    In one case, have too many files to be scanned before the morning arrives.

    Do servers need to be subjected to a full scan until finished or can best practices include a Scan for Up to [hours] and scheduled nightly instead of weekly?

    Any other ideas? What is actually practiced out there?

    Centralized Exceptions has been utilized for non-risky file folders.

    Thanks.

     

     

     



  • 2.  RE: Too many files to scan, Too little time

    Posted Nov 10, 2010 08:19 PM

    If nightly scans can finish before the day starts, go for it.

    If not, schedule depending on how users access the servers:

    Database servers - could pass using just a scheduled active scan. 1/week. Add the databases to the excluded list. Provided that the only traffic is when users read/write on the database.

    File servers - since this has high traffic. 1 full scan per week starting on your first off-peak day. Usually Saturday morning which it could hopefully finish before Monday morning. Real-time scan could slow this one down.

    Web servers - can do with active scan as well.

    Or go with Symantec Critical Systems Protection. :D



  • 3.  RE: Too many files to scan, Too little time

    Posted Nov 10, 2010 08:52 PM

    Yes agreed with Mr. Mon, I usually scans my fileservers Friday night after 6 PM.



  • 4.  RE: Too many files to scan, Too little time

    Posted Nov 11, 2010 05:27 AM

    Yes Server needed to be subjected for Full Scan.

    Also you can have option to pause or stop scan enabled on the servers, so that you can take proper action if required.

    There is a new feature with the version that you have installed "Scan Randomization". You can configure scheduled scans to run at randomized times, so that virtualized environments do not all run scan sessions at the same time.

    Check the following article

    Title: Configuring SEP client options for end users to stop, pause, or 'snooze' administrator defined scans
    Web URL: http://www.symantec.com/business/support/index?page=content&id=TECH93376&locale=en_US



  • 5.  RE: Too many files to scan, Too little time

    Posted Nov 12, 2010 05:10 PM

    given time slot: scan starts at 3am on Wednesday (for this scenario)

    no stop, pause, or snooze feature will be allowed for servers

    Database server, in-house & 3rd-party development, Micosoft SQL Server 2005

    approx 3 million files to scan, some folders excluded

    approx. 13 hrs (but not accurate since most scans are aborted)

    =================

    I appreciated the suggestion to categorize the type of server to be scanned.

    Database server (in this case)

    --  Active scan once a week (instead of administrator scheduled scan)

    Is anyone using the Scan for Up to [hours] feature ?

    And what about the Administrator-Defined Scan, Advanced Scanning Option, Tuning, slide up to Best Scan Performance for a fast scan and slow apps??

    Any thoughts here?

    Thanks.

     

     



  • 6.  RE: Too many files to scan, Too little time

    Posted Nov 12, 2010 05:21 PM

    Suggestion...

    Create a scan for every night of the week.

    Sunday scan will scan C:\ 

    Monday scan will scan D:\

    Tuesday E:\

    etc.

    This way you will still scan the entire machine once a week, its just broken up to a few hours each night.



  • 7.  RE: Too many files to scan, Too little time

    Posted Nov 12, 2010 05:44 PM

    Turn off the scanning of compressed files for the scheduled scan.  It can make the scan take a LOT longer, and Auto-Protect would nab any malicious files within when the archive is expanded.

    sandra



  • 8.  RE: Too many files to scan, Too little time

    Posted Nov 12, 2010 05:51 PM

    However if you are running weekly ( Friday) scans do enable the compressed file scanning..

    Its not necessary to scan daily unless Threats are regularly detected on these servers.



  • 9.  RE: Too many files to scan, Too little time

    Posted Nov 12, 2010 06:15 PM

    There is a support article on tuning the scanner to use more threads of the processor to speed up scanning times..  Look into it.  This is especially handy with you have multiple cores or multi-CPU systems.



  • 10.  RE: Too many files to scan, Too little time

    Posted Nov 12, 2010 09:04 PM

    wow, that could be useful if anyone know it, please share it here for the benefits of everyone in the forum :-)



  • 11.  RE: Too many files to scan, Too little time

    Posted Nov 13, 2010 01:25 AM

    Is this the one you're thinking about?

    Enabling multithreaded scans
    http://www.symantec.com/docs/TECH101387

    sandra



  • 12.  RE: Too many files to scan, Too little time

    Posted Nov 14, 2010 09:54 PM

    I'm not using scan up-to x hours. I just rely on SEPM admin settings. It's easier that way.

    I'd design my scheduled scans over the weekends. And servers are grouped into 3: one that uses way too much resources, med resources, and those that I'm sure won't get infected 90% of the time. Create your policies based on that.

    For the local scans. I assigned them to the admin in charge of that server and he or she has the responsibility to have it scanned at least 1/mo and not more than 4/mo.

    And for high traffic servers. Instead of putting the policy on the server, I place the policy on the clients to scan files on demand (i.e. - when they accessed the shared folders). I'm not sure how having an application policy would affect the resources. Block writing certain files (exe, inf, bat, vbs, db, ini) The last 2 is just because of the thumbs.db and desktop.ini which a few users mistake for malware.

    Scheduled scan on servers could be limited to Windows and Documents and Settings folders. And have NTP enabled to limit possiblity of threats using exploits and test this first before going live.



  • 13.  RE: Too many files to scan, Too little time

    Trusted Advisor
    Posted Nov 15, 2010 10:27 AM

    Another alternative that may work is an upgrade to RU6MP1 (11.0.6100.***) in this latest version release it allows for a scan to be stopped and then when it resumes it will pick up the scan from where it left off.

    So your 3am scan on Monday would scan 1mil files stop at 7am. Tuesdays 3am scan would scan 1 mil files then stop at 7am. Wednesdays scan would scan the remainder of the files.