Scan when writing only

[trjam]

On several occasions I have send where some have stated to set your AV up to scan only when writing. Reason is for increase speed which I can see were it would be true. My question is, what do you need to do, add, or change to be able to do this and have adequate security. I am sure others might want to know. Benefits? Dangers?

[Zombini]

Quote:

Originally Posted by trjam

On several occasions I have send where some have stated to set your AV up to scan only when writing. Reason is for increase speed which I can see were it would be true. My question is, what do you need to do, add, or change to be able to do this and have adequate security. I am sure others might want to know. Benefits? Dangers?

I'm not sure I understand this. Scan on Write will kill the system performance. Most AV products scan on close, when the file was opened for write. There are some like Kaspersky that will delay the scan on close as an optimization.

[Bob D]

VBA32 (scan only new files), Dr Web (smart mode), KAV and others have such a feature.
The key is understanding how it works.
Apparently when that option is selected: all files created / written to disc are scanned, BUT existing files can be opened and existing executables run (i.e.: program executables) without scanning, but these files will be scanned at their closure.
Running with this option, of course, explains the importance of prior running Full System Scan to make sure your system is clean.
I know of no risks/dangers when running in this mode.

[trjam]

thanks Bob, this is what I have the Guard set to with Avira on one machine and it makes even more of a difference in speed.

[bellgamin]

Quote:

Originally Posted by Bob D

Running with this option, of course, explains the importance of prior running Full System Scan to make sure your system is clean.
I know of no risks/dangers when running in this mode.

Shouldn't I also do a scan of all downloads before executing them? Or will Avira's "scan when writing" automatically scan all new files?

[ggf31416]

The problem with scan when writing in Antivir is that the AV does not block reading/executing an detected file when set to this mode.

[Bob D]

Quote:

Originally Posted by bellgamin

Shouldn't I also do a scan of all downloads before executing them? Or will Avira's "scan when writing" automatically scan all new files?

Manual scans of DLs are always prudent.
Note: I have no current experience with Avira, but I assume upon DL, and subsequent saving (writing) to your HD, said file will be scanned.
Easy enough to test. Email yourself the Eicar.com file. DL and save to disc. See what happens.

[lodore]

whenever ive downloaded a file and then scanned it with kaspersky the scan ends right away and says reason ichecker which means it must of been scanned on its way in.
im not sure about other antiviruses thou.
but since these type of modes are default i very much doubt they will misses malware when in this cofigaration.
lodore

[Kees1958]

Tweeking with your AV settings depends on your other security aps and usage habits. This is an open door answer and can only be answered by yourself. But there are a few considerations to make, see mine for example:

PC1: Multimedia (lot of P2P, downloading of paid music, web browsing)
- XP Home in Admin
- policy sandbox = DefenseWall
- AV = Avast with standard shield off, heuristic normal

Reason DW nails down all downloaded files through threatgates, so Avast standard shield is set off, only incoming data streams are scanned (Network, Mail, P2P, Web). Advantage as early as possible detection. Disadvantage a slightly higher 'ping' and you need to run a full scan before backup. With this light setup the multimedia AMD Athlon64 (2,6GHz/800FSB/1,5GigRam) runs as fast as gaming dual core (@3,2GHz/1600FSB/4GigRam)

PC2: On-line gaming
- Vista in LUA (quiet mode)
- policy sandbox = GeSWall
- AV = Antivir with scan at write only, heuristics set to high

Reason, ping is holy grale in gaming. Rig has Raid0 with cache enabled, write delay is not noticable in this setup. Another reason to check at writes: GW does change the status of a file from untrusted to trusted when you copy it to another disk (DW always keeps status), therefore I would like to check the file at writes again (e.g. a copy). Advantage is on-line speed, disadvantage discovery in a later phase (with higher risk). This was reason to set heuristics to high.

For years we are running simular setups, never infected. On the security play PC (now given to family) I never had AV in real time and tested a lot of malware Bitdefender and on-line scans never found a thing.

Regards