How often to run AV system scans?

[FadeAway]

I am a fairly safe surfer, so on the rare occasion when I have
picked up a virus, it has always been in the Internet Temp files,
the AV flags it instantly, and a simple delete of the file has
taken care of it.

Given that that all good AVs's pick up the baddie when it hits the
hard drive (at least that is my understanding), I have often wondered
if it is really important to do frequent manual scans with a real time
AV running. I suppose a scan should be run now and then in the
event there is a virus hidden in a compressed file, but am not expert
enough to fully understand how that works among different AVs, and
whether or not AVs decompress a zipped installer when it is
downloaded, for example.

I am seeking to improve my knowledge here, so opinions and comments
of more experienced and/or expert forum members would be appreciated.


Thanks.

[Mrkvonic]

Hello,

I'll not tell you what I do, as it might not suit your needs, but:

It is wise to scan files you download, especially if they are from friends and such, because this is when your guard is at the lowest. No one has second thoughts about a crack file called gtrs2111.exe. But you might undergo a troy syndrome if some friends sends you a file called latest_trip.pps.

This is one of the most important things to remember. Scan the files when you are supposedly safe. Sounds kind of contradictory to logic, but that's how it is.

Now, a golden rule: if you are not sure about the file, don't run it. That's all. As simple as that. No matter what 10 or 50 AV reports tell. And if you trust the file, you might as well skip the scan, because if you are going to run it anyway, why bother with the scan.

One of the best things to do is check the hash of a file you download and compare to that on the site. If this is vendor's site, plus you have reached the file by normal means (search, forum advice etc), then everything is most likely ok.

As to the occasional virus in the temp files, I assume you are using IE? In that case, if you switch to a non-MS browser, you will solve yourself the need for any real-time protection, as superior browsers like Firefox or Opera simply do not respond to drive-by crap and such. Your browsing becomes 100% passive, which means you need to do actively execute something.

Mrk

[TonyW]

I don't do full scans as often as I think I should - I try to do it weekly, and I've been too lazy to set a schedule for it!

When the AV was first installed, I did a full system scan, but I figure if real-time protection is on anyway, it should be catching anything after that first scan.

[The Hammer]

Quote:

Originally Posted by FadeAway

Given that that all good AVs's pick up the baddie when it hits the
hard drive (at least that is my understanding),


Thanks.

That's not always the case as no AV detects 100%. Not your favorite nor mine. I run a full scheduled scan daily, but that doesn't mean you should.

[fce]

weekly for me.

[vincenzo]

This brings up an issue that I have wondered about but never seen mentioned in any of the A/V tests I have read. Is it possible that an A/V will detect some malware in a on-demand scan that it would not detect when that file is requested to be opened or run? It would seem that the automatic background scanning would have the same detection rate as on-demand scans.

Thanks

[FadeAway]

I know that no AV can ever have a 100 per cent detection rate.

My question was more in terms of whether a typical AV is likely
to find something on a full system scan that it would not have
found in real time, assuming it starts with a clean machine. In other
words, is there something extra that an AV is doing in those weekly
scans that it has not already done in real time, or in its initial
install full system scan?

[C.S.J]

once a week,

however, if im bored, i might just sneek one in for the hell of it.

[Seer]

Quote:

Originally Posted by FadeAway

whether or not AVs decompress a zipped installer when it is downloaded, for example.

Some do, some don't, but that's not so important IMO. A malware in an archive should be detected when the archive contents hit the drive, say when you decompress it. An archived malware is harmless.

That said, I never use scanning feature. Never - period. It's boring and resource/time-consuming. I completely rely on real-time protection... OK, I admit, I did a scan with SAS free a month ago or so, found some tracking cookies. Won't do it again, a waste of time.

Of course, this post is not advice, it's a confession.

Cheers.

[Blackcat]

Quote:

Originally Posted by vincenzo

It would seem that the automatic background scanning would have the same detection rate as on-demand scans.

Thanks

Not necessarily, as it will depend upon the AV used and how the running Guard is setup.

1. Some AV's, for performance reasons, have a "Smart-mode" setting for the Guard. For example, with Dr Web, this is the only scan mode which can be used for SpIDerGuard. VBA32 and KAV also have this as a setting in the File scan choices. In this mode, it catches only files that are created or updated, files that already exist on the HardDrive and opened or executed are not checked.

To overcome this potential weakness, regular on-demand scans on full settings are recommended even though Dr Web/VBA32 have "background scanners".

2. Further, again on performance grounds, a number of AVs do not have archive scanning set as default in the RTM, or if it is, some users may deselect this setting.

However, if the real-time Monitor scans ALL files and does not slow down performance in this setting, then probably only an occasional on-demand scan is needed together with the use of the context-menu scan with newly downloaded files.

[rdsu]

Rarely...

[The_Duality]

Quote:

Originally Posted by C.S.J

once a week,

however, if im bored, i might just sneek one in for the hell of it.

Same here. Ill run my AV scanner, plus all my anti-spyware etc on demand scanners once a week, and more often if im bored and I fancy watching a progress bar...

*watches SAS do another run*

[lodore]

ive set a scan to run once a week on wednesday at 12.
its fine for when i was at college but now im on the computer at that time during that time so sometimes i cancel the scan.
since getting kaspersky in december ive only had one alert from it.
it was the webav blocking a zlob trojan when my dad clicked on a link by mistake.
if someone sends me a link on messenger i first ask if they sent it and what it is.
secondly i look at the link to see if looks safe.
thirdly i check it with linkscanner
http://linkscanner.explabs.com/linkscanner/default.asp
and if its fine after that i copy and paste the link in to opera with javascript disabled.
the problem is my dad uses IE7 and refuses to use anything else so IE7 is default browser.
once i get my own pc i will put opera as default browser and i will never get infected due to my safe surfing.
lodore

[TopperID]

There are certainly reasons why a demand scan may pick up something on-access scanning misses. Usually this will be because the Guard will be configured to reduce slowdowns (hence no scanning of archives, scanning by extension instead of scanning every file, reduced heuristics etc), however it is theoretically possible for an on-access scan to let something through because it does not have the signature at that time; then, after a sig update, a demand scan may pick up what was missed earlier.

In the case of an encrypted file, I suppose it is possible for both on-access and demand scanners to miss something - until it unloads into memory when it could be picked up by a memory scan.

To answer the main question though, on-access scanning is far more important in my opinion, it is not vital for a safe surfer to constantly do demand scans. Once a week is an arbitrary figure, if you have no problems manifesting themselves (in which case you would go into 'safe' mode and scan) once a month or even less would be adequate. I scan about once every 6 weeks these days and even that seems too often!

Scanning individual files you download, before opening them, would be a sensible precaution though.

[The_Duality]

Quote:

Originally Posted by lodore

ive set a scan to run once a week on wednesday at 12.
its fine for when i was at college but now im on the computer at that time during that time so sometimes i cancel the scan.
since getting kaspersky in december ive only had one alert from it.
it was the webav blocking a zlob trojan when my dad clicked on a link by mistake.
if someone sends me a link on messenger i first ask if they sent it and what it is.
secondly i look at the link to see if looks safe.
thirdly i check it with linkscanner
http://linkscanner.explabs.com/linkscanner/default.asp
and if its fine after that i copy and paste the link in to opera with javascript disabled.
the problem is my dad uses IE7 and refuses to use anything else so IE7 is default browser.
once i get my own pc i will put opera as default browser and i will never get infected due to my safe surfing.
lodore

'Tis the way to be. I would use opera more, but because of my slow wireless I need a decent download accelerator (of which there are plenty for FF).

(sorry for the off topic)

[flyrfan111]

Personally, I agree with TopperID, Most AVs on access scanners are configured adequately to provide protection for most users, additionally, hdds are mechanical objects designed and made by humans, they WILL fail at some point, why push the issue with needless thrashing of performing an AV scan every day?

[vincenzo]

Why is there a need to right click/scan a downloaded file before it is opened? Wouldn't the same A/V program scan it automatically before allowing it to be opened?

Thanks

[flyrfan111]

Not all AVs scan archives or compressed files with the default on acccess scanner settings. Personally I think this is not needed but I do understand why some users do this.

[TopperID]

Quote:

Originally Posted by vincenzo

Why is there a need to right click/scan a downloaded file before it is opened? Wouldn't the same A/V program scan it automatically before allowing it to be opened?

Thanks

The configuration of the Guard may be different from the demand scanner. For example the heuristics of the demand scanner may be set higher, so it might be able to spot something the Guard would let through.

However you'd have to be unlucky for that to happen, so I can't say it is essential to scan downloaded files, just prudent - but then I suppose it depends what you are downloading!

[FadeAway]

Thank you to all for the many thoughtful replies to this thread.
They have provided more food for thought than anticipated. I was
aware of the "scan all files" vs. "scan selected file extensions" options,
but usually just left it at the vendor's default for both on-access
and on-demand.

Combining your collective comments with with my personal experience
on the Net, I am going to cut back full system scans to once a month,
and let the real time guard handle the rest, if all seems well.

BTW, in reply to Mrk, I only use IE when I need Flash. I dislike Flash
ads, so it is not installed in my primary browser, which is FF.

Thanks again.

[rookieman]

I usually runs about 4 a week.I'll try to run those while i'm out shopping for example.

[NAMOR]

When i first install a new AV I run a full scan, then at random times when i get really bored (which means usually never).

[flyrfan111]

Quote:

Originally Posted by rookieman

I usually runs about 4 a week.I'll try to run those while i'm out shopping for example.

Seems like a bit much to me, even for a high risk user, but to each his own. If you are not seeing any detections I would reduce the number of scans, but of course it is up to you.

[FanJ]

Quote:

How often to run AV system scans?

I usually run a scan daily (if time permits).
YMMV

[the Tester]

Once a week here also.