Real-time vs on-demand virus scanning

Hi,

There is something that I've always wondered about and now that I found this website I figured that I would ask. If you have an antivirus program that offers real-time protection (as I believe most do), then why do you need to do scheduled scans of the filesystems? If a virus is just sitting on a disk doing nothing then it is just a potential threat. It is only when it runs that it can cause a problem, but then it should get noticed by the real-time protection. And if the real-time protection doesn't detect it, then how could the filesystem scan have found it? Unless the two scanners have different capabilities?

I'm sure that there is some aspect of this that I am missing, but I'm not sure what it is. I can imagine various scenarios but have no way to figure out which ones are valid.

Tx.

 

because deep scan is more thorough.

 

To me, that makes it sound like a deep scan is 'better' at detecting viruses than real-time protection is. Does that mean that one should schedule frequent deep scans, since a virus is more likely to go undetected by the real-time protection?

 

I think it means you should get rid of that AV program (or reconfigure it to be thorough when performing real-time scans).

 

And that was basically my question. If one type of scan is as good as the other, then why do both? In the 'Ask Leo' column that was linked to in an earlier post, he mentions:

For what it's worth, I actually don't run a real-time scan, since I'm fairly well protected in other ways and find that real-time scans can occasionally interfere with the performance of my machine. They've also been known to cause other anomalous behaviour - most commonly with email. I do, however, run an on-demand scan which is scheduled every night.

I understand his reasoning, but it seems to me that, if at all possible, you want to at least run real-time protection. What happens if you manage to D/L a virus that gets run soon after? Deep scan isn't going to help you much there. I'm talking here about the average user, not someone more advanced who understands how to put more extensive countermeasures in place.

 

Hi Tx, until you find your own way of being "fairly well protected in other ways", keep the real time scanner. The real timer helps you prevent getting infected, the on demand scanner doesnt.

Bo

 

Imo there are some reasons why security software offer on-demand scans and real time protection together:
-After the first install almost all security software will alert you to have a full scan to both see if you are infected and if you have malicious files that are sitting dormant
-In case you don't want to run real time protection
-In case new signatures or behavioral patterns get pushed, to detect dormant malicious files. Regular users generally treat missed dormant malware and malware traces as failures which reflects to their marketing/sales
-To scan removable media like pendrives and external harddrives (i.e. you might want to check your pendrive you haven't used in a while before using it in other people's computers)

 

I personally don't automatically associate on demand or scheduled scans with boot scans, but perhaps the later type of scenario is worth distinguishing. I've never felt comfortable relying solely upon scanning which occurs within an environment that could potentially be compromised. I would think bootable disc scans the conservatively best way to approach that.

 

Thanks for all of the responses to my questions. Here is what I've gotten out of it so far:

- Real-time scanning is a must, unless you have some other 'equally effective' way of protecting your system
- One of the best reasons to use deep scans is to 'clean' removable media that is going to be used in someone else's system
- Other that that, deep scanning is a worthwhile thing to do, but not absolutely necessary.
- Having said all that, there is probably no reason not to use them both (I am a believer in the 'belt & suspenders' approach to these sorts of things)
- Offline scans are also a useful tool

This pretty much confirms what I have always believed. But it is good to hear it from a group of people who have no agenda in this area (I hope ;-).

So, what are the other things that the 'Ask Leo' column alluded to that you can do to protect you system? Here's what I can come up with off of the top of my head:

- 'Non-virus' scanners like Malwarebytes
- Host file block lists like MVPs & HP
- Running risky applications in a sandbox (e.g. sandboxie)
- Running applications inside a virtual machine
- A well-configured firewall
- The intelligent use of throwaway email adresses
- DNS filtering (e.g. OpenDNS)
- Keeping your SW up-to-date with the latest (working) security fixes
- Basic common sense
- Use Linux ;-) (My bias, not a troll)

Thanks

 

- 'Non-virus' scanners like Malwarebytes

- Host file block lists like MVPs & HP
Manual process that most people forget to maintain as time goes by. Can also impact PC performance. An alternative to this is SpywareBlaster.

- Running risky applications in a sandbox (e.g. sandboxie)
Good but not fool proof. Malware has been known to "jump" sandboxes. They are also a pain to configure properly. Note that Kapersky is dumping its sanbox feature in its 2013 ver.

- Running applications inside a virtual machine
This is usual done for testing purposes. Very resource intensive. On WIN 7 boxes, many people using a VM regularly have 16 GB of memory.

- A well-configured firewall

- The intelligent use of throwaway email adresses

- DNS filtering (e.g. OpenDNS)

- Keeping your SW up-to-date with the latest (working) security fixes

- Basic common sense
If this were true, phishing wouldn't exist. A better approach; trust nothing that is Internet based.

- Use Linux ;-) (My bias, not a troll)
A security myth like using an Apple OS. The main reason these OS are not hacked as often is numbers; there are far less installations that Windows OSes. Hacking is a money game these days. Hackers target areas with broadest exposure hence greatest payback.

The best preventation you did not mention - get yourself a good disk imaging program and do regularly scheduled image backups. This way if you get infected, you restore your hard drive and your good to go. The WIN 7 backup is OK but is restricted in functionality.

 

Is there a antivirus with only a real time scan
I have tried to do a search on it and had no luck,
if anyone knows of one could you post a link or
name of the program, thanks