2

It is our policy for our end-user's computers (usually laptops) to have high power CPUs, GPUs, RAMs (no less than 16GB) and HDD space (1TB), but we save money by choosing lower rotation speed of HDD. We have very high rotation speed for our servers instead. Usually it works quite good, but antivirus software is raising problems. I can observe in Task Manager that if total (from all the processes) disk access is more than 4-5 MB/s, then the Taks Manager indicates 100% use of disk access and the other applications are slowing down visibly. Usually the antivirus software, especially scanner process is consuming the highest part of the disc access. Of course, I can assigner lower priority for antivirus software but this has impact of CPU use (which is not problem). But is it possible to slow down the disk access of antivirus scanner process? It is OK, that each downloaded file, each accessed web page is scanned in real time, but I don't see the necessity to have high disk access and express resource consumption for the long-running background disk scanner processes. We use many of our computers for programming, that is why each of them can contain around 5.000.000 files or more (no more than 15.000.000 files). So - scanner is trying to process quickly all those files and the work is impossible.

And regarding the option to do scans during idle/maintenance time. Well - it is important to stress that we use mainly laptops for the end users, many of them take their computers home, have flexible schedules. So - there is no time window that could be planned especially for the maintenance activities. So - this is no option. I wonder why antivirus companies are not thinking in terms of customer satisfaction?

Improve this question
5
  • 2
    Why are you running scans during working hours? Why don't you schedule the scans for non-working hours?
    – joeqwerty
    Feb 23, 2019 at 1:26
  • As I said, that the number of files is very large and scan can not be completed during non-working hours. Besides, the scan position itself as the background scan. Is it so hard for the antivirus company to tame the scanning process?
    – TomR
    Feb 23, 2019 at 1:51
  • 1
    @joeqwerty Can you predict when a developer will be working? Some of them think every hour is working hours.
    – Michael Hampton
    Feb 23, 2019 at 2:13
  • Have you considered to configure the virus scanning software to only look at executable files and not files that are not particularly prone to virus ?
    – PatrickTaylor
    Feb 23, 2019 at 5:28
  • Why are you using disks that spin? SSD's are effectively a standard now where performance is a concern. Decent endpoint security products have a throttling mechanism for scheduled scans. Windows Defender for example, has 'Configure low CPU priority for scheduled scans'. If the scan runs as a scheduled task, the task priority can also be lowered.
    – Greg Askew
    Feb 23, 2019 at 16:54

2 Answers 2

Reset to default
1

If you can't find an answer that can solve your problem directly consider one that still addresses the underlying problem*.

If the scan can't be completed during non-working hours, break it up into parts that can be completed thus; e.g. scan scan directories X,Y and Z on Mondays, Wednesdays and Fridays, and the rest on Tu/Th/Sa.

And maybe scan frequently changing directory W every day and archive directory V only every Sunday...

*Edit: After I answered, Esa then took this a step further than I, with good results.

Improve this answer
0

When was the last time a scheduled full scan actually found something that caused a real risk? Something that wasn't already found and would not have been found before it would cause any harm? This day and age malware protection is real-time and hopefully multi-layered:

  • You prevent access to known malicious sources; sites listed as infected, parked domains etc.
  • A firewall / IPS / UTM solution detects malicious content from the traffic on many layers.
  • The virus protection on local machine scans the file when it's downloaded, when it's loaded to memory and whenever the file is accessed. I malicious file does no harm by just standing on your HDD.
  • The content is scanned against known signatures just like before, but modern antivirus solutions (on the UTM, local machine or both) can perform additional behavior analysis, sandboxing and machine learning. The most agressive method is whitelisting, where every executable needs to be tested on a sandbox and detected as safe before it gets through.
  • If a malware starts making connections to other computers it can ge again detected on the IPS.

All these together makes it pointless to run full scans on regular basis. It's possible to start a full scan manually when something suspicious is found on the other layers of the protection.

Regular updates are way more important than regular scans. According to Fortinet:

But it’s not just these high-profile attacks that target recent vulnerabilities that are the problem. During Q2, 90% of organizations recorded exploits against vulnerabilities that were three or more years old. And 60% of firms experienced successful attacks targeting devices for which a patch had been available for ten or more years!

Because so many organizations are slow to patch or replace devices and systems with known vulnerabilities, cybercriminals are shifting resources away from developing new ways to break into networks, and are instead focused on developing automated and intent-based tools designed to deliver more sophisticated payloads that are also increasingly difficult to detect and remove.

In many companies the practice of leaving computers open for night-time virus scans leads to not updating and rebooting them regularly. The attack surface decreases significantly if the operating system and all the software are up-to-date.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .