Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- On-Access scanning
March 17, 2005, 4:26 pm
rate this thread
We are in the process of deploying an FTP server and I have
been asked to look into this issue.
We need to know that if someone deposits a file with a virus
on our system, using either FTP or a local copy, that our McAfee
virus scanner will pick it up _before_ it is possible for any other
process (e.g. FTP) to even see the file.
I know that 'on-access' means that the scan is triggered by the
disk driver operations, but the question is which ones, and can
we guarantee that we won't have a partially scanned file on our
system that could be seen by another process before the on-access
scan is complete.
Hope this makes sense, and thanks for your help.
Re: On-Access scanning
On access scanning usually only scans existing files that are being
opened for read, or read-write access. To prevent the creation of
an infected files, some scanners have "on close" scanning, to auto
delete an infected file, that has just been created.
The problem you're most likely to encounter with an on access
scanner, is the ftp server hanging, when it tries to access an
infected file, and is prevented by the av software.
What is appropriate depends a lot on who will have upload access,
and the download audience.
If untrusted users will have upload access, I recommend having all
uploaded files put into a directory that is not accessible for download,
with a script that runs the av scanner on demand, before moving the
file to a directory accessible for download. Don't forget about the
day 0 problem, where a new virus is not recognized by the scanner.
Periodic scanning of the download directory should be used to remove
newly detectable viruses.
Regards, Dave Hodgins
Change nomail.afraid.org to rogers.com to reply by email.
(nomail.afraid.org has been set up specfically for
use in usenet. Feel free to use it yourself.)
- Richard S. Westmoreland
March 18, 2005, 5:30 pm
Re: On-Access scanning
That is the exact same advice I was going to give. Separate the
upload/download directories, and let a scheduled script move files between
them. When the script accesses the file, the on-access scanning will look
at it before making the move.
Richard S. Westmoreland
- » ANN: PC Activity Monitor Professional 7.4 released
- — Previous thread in » Anti-Virus Software