|
![](/i/fill.gif) |
On 6/6/2011 10:29, Orchid XP v8 wrote:
> Seems to me more like "useless busy-work to reassure the customer that we
> really are doing something".
Or maybe "check that you haven't installed something while the scanner was
turned off"?
> I notice that Symantec AntiVirus Corporate Edition doesn't do scheduled
> scans at all by default. (Unless you explicitly ask it to.) Neither did
> Trend Micro, until our IT department turned it on. (Why?)
See above.
>> Try Microsoft Security Essentials. It's really good.
> It has "Microsoft" in the name. Why would it be good?
Because it's written by the same people whose OS you're trying to protect is?
> That's a valid argument for a file server. But even in that case, you (or
> somebody else) still has to *access* the file.
But the other person might not have a virus scanner.
> While we're on the subject, almost all AV product claim to be able to detect
> "virus-like behaviour" even if they don't have signatures for it. But I've
> yet to see this actually work in practise...
I have.
> It's an optimisation in that it only scans files which could actually harm
> the system, without wasting time scanning files which are never used. On the
> other hand, it also scans them at the worst possible time...
Right. That's why using the USN journal is such a good idea.
>> Don't use the timestamp. Use the USN journal. That's what it's for.
>
> And how many 3rd parties know this exists? (Also, it only works for NTFS.
> Which should be a non-issue, because *nobody* should be using FAT by now...)
If you don't have the USN turned on, fall back to on-demand scanning. Lots
of third parties know it exists. It's well documented and has been around
for years. Heck, *I* know it exists and I don't even try to write
non-portable Windows code.
Too many people try to do cool stuff and just skip all the tools that
Windows gives you to make it work well. Not knowing the USN journal exists
when you're writing file scanning software for Windows is like not knowing
the Apple UI guidelines exist when trying to write interactive code.
>> Indeed, you can just do a lazy background scan of anything that might be
>> an executable after whoever is writing to it finishes writing to it.
>
> You might argue that you could also do lazy on-access scans by logging who's
> accessing stuff, and then checking after. Still, difficult to block access
> to a file after it's been accessed...
Right. But this way, you're scanning the executable as soon as it gets
potentially-infected, not when the person is waiting for it to run. You get
notified as soon as you visit the web page that gives you the virus, not a
week later after you have no idea why the program you only use once a week
is suddenly different.
> Now why the **** couldn't McAfee have done that for itself?
Dunno. Privilege problems?
--
Darren New, San Diego CA, USA (PST)
"Coding without comments is like
driving without turn signals."
Post a reply to this message
|
![](/i/fill.gif) |