Trend Micro Smart Scan

Discussion in 'other anti-virus software' started by JoeyJoeJoe, Oct 22, 2009.

Thread Status:
Not open for further replies.
  1. JoeyJoeJoe

    JoeyJoeJoe Registered Member

    Joined:
    Oct 22, 2009
    Posts:
    63
    In the early stages of checking out Trend Micro's offering and was wondering what to make of their Smart Scan architecture. From what I can gather clients determine if a file's reputation and decide to scan based on that. If it cannot determine the file's reputation, the client connects to a local SmartScan server for reputation information.

    If that server is not available, it does this (from the Getting Started Guide):

    A client that cannot verify a file’s risk locally and is unable to
    connect to a Smart Scan Server after several attempts:
    • Flags the file for verification
    • Temporarily allows access to the file​

    That seems like a vulnerability in the software that could allow a malicious file to execute. Am I reading this correctly?

    Thanks,
    JJJ
     
  2. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    I'm in a similar situation.

    We use OfficeScan on all our clients, and the latest version gives the choice of scan engines, "conventional" or "smart scan", and you can use a local smart scan server (installed on the OfficeScan server), or a dedicated local smart scan server (a downloaded vmware image) or you can use Trends servers.

    Frankly they seem to be making it, well, not so much complicated but there seems to be quite a few bits that need to be "glued" together to make everything work.

    The thing I would say with smart scan is that it's not the sole scanning method, essentially I believe Trend "tier" threat definitions so that the client has a degree of coverage by the pattern held on the PC and uses smart scan for more in depth/up to date scanning.
     
  3. JoeyJoeJoe

    JoeyJoeJoe Registered Member

    Joined:
    Oct 22, 2009
    Posts:
    63
    Thanks Hutch,

    That's my point entirely. What if there is a threat that is known to Trend's Smart Scan server but the Trend Micro clients cannot communicate with the server?

    It seems that Trend goes ahead and grants access to a file anyway, even if it is suspicious.

    Joe
     
  4. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    That's my understanding.

    I have to admit that despite having read all the literature, and seen various webinars, I remain unconvinced mainly because I've not yet managed to get a satisfactory answer on the issues you raise.

    Yesterday I installed a test OfficeScan 10 server on a VM and configured a couple of clients to scan using SmartScan - I've not done any scientific timing or research suffice to say the machine feels more sluggish using SmartScan than it is using the conventional scan engine.

    The OffieScan (with integrated Smart Scan) server is on a dedicated VM on one of our ESX boxes and it's not short of resource.
     
Loading...
Thread Status:
Not open for further replies.