Good Anti-virus for large hard drives and files?

[moody]

I'm building a media server with a lot of storage to hold my DVDs, music and TV shows recorded by my PVR program. The storage will be RAID-5 arrays of about 1 terabyte each. Only data will be stored on these arrays the system drive will be a separate and much smaller disk.

Do I need an anti-virus to scan the data drives or just the system drive? If I do need to scan the data drives, what anti-virus can scan drives that big holding multi-gigabyte files without taking a day or more? Also recording video to a drive is very sensitive to disruption. I dont want to have a capture of a TV show ruined because the anti-virus suddenly decided to kick in.

I've read NOD32 has very fast scanning but I dont know whether its real time scanner would cause problems. Perhaps an on demand only anti-virus would be better.

[Howard Kaikow]

Quote:

Originally Posted by moody

I'm building a media server with a lot of storage to hold my DVDs, music and TV shows recorded by my PVR program. The storage will be RAID-5 arrays of about 1 terabyte each. Only data will be stored on these arrays the system drive will be a separate and much smaller disk.

Do I need an anti-virus to scan the data drives or just the system drive? If I do need to scan the data drives, what anti-virus can scan drives that big holding multi-gigabyte files without taking a day or more? Also recording video to a drive is very sensitive to disruption. I dont want to have a capture of a TV show ruined because the anti-virus suddenly decided to kick in.

I've read NOD32 has very fast scanning but I dont know whether its real time scanner would cause problems. Perhaps an on demand only anti-virus would be better.

Speed should not be the prime criteria. More important are:

1. Whether the software allows you to choose what action to take when an alleged malware is detected. Otherwise, false positives may lead to an "automatic cleaning" of the files. This problem has been reported for McAfee VS 10.

2. How effective is the detection, and whether the software is more likely than others to produce false postives.

3. Frequency of virus definition updates to protect from recently discovered baddies.

4. Impact on other software.

Then I would consider cost and speed.

[lodore]

kaspersky i think because it has only check new or changed files so after the first scan it wont take so long

[Howard Kaikow]

Quote:

Originally Posted by lodore

kaspersky i think because it has only check new or changed files so after the first scan it wont take so long

That's a negative, not a positive.

It is very easy for a program to change dates and times to hide that a file has changed, or is new.

[Don Pelotas]

Quote:

Originally Posted by Howard Kaikow

That's a negative, not a positive.

It is very easy for a program to change dates and times to hide that a file has changed, or is new.

It doesn't work like that, Howard (btw it's an option and not the default setting), but i do agree that speed in the on-demand scan should not the most important thing, effectiveness would be my first criteria.

[Peter2150]

Quote:

Originally Posted by Howard Kaikow

That's a negative, not a positive.

It is very easy for a program to change dates and times to hide that a file has changed, or is new.

True, but lot tougher to hide changes to checksums, and NTFS security descriptors.

[Bubba]

Quote:

Originally Posted by Peter2150

True, but lot tougher to hide changes to checksums, and NTFS security descriptors.

True....and I'll assume that's what lodore was referring to above in regards to "or changed files"....and not just simplistic date\time changes.

[Howard Kaikow]

Quote:

Originally Posted by Don Pelotas

It doesn't work like that

Please clarify.
Other than the dates/times, how can a program guess that a file may have changed.

[Howard Kaikow]

Quote:

Originally Posted by Peter2150

True, but lot tougher to hide changes to checksums, and NTFS security descriptors.

An AV program has no way of telling that content has changed.

[Marcelo]

Quote:

Originally Posted by Howard Kaikow

An AV program has no way of telling that content has changed.

Sorry, but that´s not true. In fact it´s very hard to hide from a security program that a file has changed if that program has stored any kind of checksum of that particular file before it was changed.

[Ned Slider]

Quote:

Originally Posted by Howard Kaikow

Please clarify.
Other than the dates/times, how can a program guess that a file may have changed.

Storing and checking checksum in the alternate data stream (ADS), maybe.

[Howard Kaikow]

Quote:

Originally Posted by Marcelo

Sorry, but that´s not true. In fact it´s very hard to hide from a security program that a file has changed if that program has stored any kind of checksum of that particular file before it was changed.

Of course, but the issue is how the AV program can tell a file has been changed.

[Marcelo]

Quote:

Originally Posted by Howard Kaikow

Of course, but the issue is how the AV program can tell a file has been changed.

The AV program can calculate a checksum of the file and store it on an ADS, as previously mentioned, store it on a database, etc.

If even a single bit of the file is changed the checksum will no longer be equal to the one previously stored.

As I said earlier, it´s actually very hard to hide from a security program that uses this method, and it´s not the only method available, that a file has been changed.

[moody]

Thanks to all for your help. I'm assuming from the lack of comments to the contrary that the data drives do need to be scanned. With this much storage speed is of importance to me as I cant have the system tied up for half a day or more performing a scan. Come fall TV season, there probably wont be a day that the server isnt recording something. Also, as I mentioned in my original post recording videos is very sensitive to having resources diverted even momentarily.

I've gotten one recomendation of Kaspersky, are there any other anti-virus programs that fit my needs?

[lodore]

of course i was the one that said kaspersky but nod32 is also a good option because it does scan fast and doesnt hog resourse so eiether of those two should fit your needs

[Peter2150]

Quote:

Originally Posted by Howard Kaikow

Of course, but the issue is how the AV program can tell a file has been changed.

Howard

KAV does two things it maintains checksums on certain system files that aren't that big. It keeps them in a data base.

For larger files where it takes longer to compute checksums to scan, a database of the files NTFS descriptors is stored. While I confess I only vaguely understand this Kaspersky has explained that not only are changes in the file detected, but if the file remains the same, but is just moved, that can be detected.

[Howard Kaikow]

Quote:

Originally Posted by Peter2150

Howard

KAV does two things it maintains checksums on certain system files that aren't that big. It keeps them in a data base.

For larger files where it takes longer to compute checksums to scan, a database of the files NTFS descriptors is stored. While I confess I only vaguely understand this Kaspersky has explained that not only are changes in the file detected, but if the file remains the same, but is just moved, that can be detected.

If they are doing this in a separate database, that's OK.
I'd really hate to see the day when each app took the liberty of adding application dependent stuff to EVERY file.

Actually, I speak with forked tounge!

I was one of the architects of ISO/IEC 13346 (see http://www.standards.com/index/html?Standards , on which UDF is based. We provided for both application dependent and system dependent optional file attributes that could be used any which way but loose.

Ideally, the file systems could add an attribute tat keeps track of whether a file has changed. That would be a lot better than each app having its own database for the same purpose.

[TonyW]

For Howard, and anyone else who may be interested, here is info from Kaspersky about their iChecker and iSwift technologies:

http://www.kaspersky.co.uk/faq?qid=186010624

[Peter2150]

Quote:

Originally Posted by Howard Kaikow

If they are doing this in a separate database, that's OK.
I'd really hate to see the day when each app took the liberty of adding application dependent stuff to EVERY file.

Actually, I speak with forked tounge!

I was one of the architects of ISO/IEC 13346 (see http://www.standards.com/index/html?Standards , on which UDF is based. We provided for both application dependent and system dependent optional file attributes that could be used any which way but loose.

Ideally, the file systems could add an attribute tat keeps track of whether a file has changed. That would be a lot better than each app having its own database for the same purpose.

Howard it is indeed a separate database and in KAV style well self protected.

and it is fast. Full original scan on my system takes about 55 Minutes. Subsequent scans range between 4-6 minutes.