Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Is there a way of automatically scanning removable media when attached to a PC? We had an outbreak of conficker a few months back (don't want to go through that again!) and are still getting the odd memory stick attached by teachers that has conficker on. I'd be a lot happier if all memory sticks/USB hard drives were fully scanned each time they were attached!
I am also trying to educate staff to ensure their home PCs are fully protected!
edit - useful info.. We're running Enterprise console 4 and Endpoint security 9
as far as i know there is no option to automatically scan removable devices when they are attached to the PC (else than the On-access scanner preventing access to already known threats and all the available device and application control settings).
Threats found by the on-access will be blocked as soon as somthing is trying to access an infected file - making me believe that i am protected even if the device is not fully scanned :-) . This also happens for malicious looking autorun.inf files making it even harder for malware to be executed after removable media has been plugged in.
What I intend to do is to "transform" this post to some kind of "pro and con" discussion of why such an option is usefull or not (sorry for that ;-) )
Maybe some of the Sophos guys will think about such a feature if there are enough pro arguments for this ;-)
So from the point of someone who's responsible for IT security this kind of option would be really great (if you stop to think about it at this point). All devices which are attached to a PC will be scanned and there will be no chance for malware to install itself or to spread on your network.
Ok so now let's dig a little bit deeper...removable storage nowerdays exceeds the TB size make them bigger than the disks which are built in to the PCs (OK the default USB stick has an avarage of 8 GB but this is still a remarkable size to scan).
So let's think about the worst case - someone attaches a 1TB external hard disk to a PC with a "scan external drives" option.
As long as the drive is scanned it cannot be accessed (would not make sense if you can access the drive while it is being scaned - cause you want the drive to be scanned before it can be used). There are a lot of PDFs on this drive - 10k holiday pictures of the last 5 years are also stored on this drive as well as a whole bunch of office documents (so let's say approximately 70% of the disk is in use).
Even if you got the latest hardware the time to scan the contend will consume far more time that a user is willing to wait. So what will happen?
Users will start to complain...
åUsers will try to disable the security software...
Users will look for other ways to transfer the data they need (might end up even worse that just attaching a usb stick)...
So maybe i am wrong but if i would create a list with all pros and contras there are far more contra arguments.
- Feels more secure
- slow (no matter of what hardware or scanner you're using)
- does not offer a real security advantage (OK you will get a list of ALL infected files on this disk - but you can also run a full scan from time to time if you really want to know. On-access will block access to a infected file even if you do not run a full scan)
- users will start to complain (worst case try to disable the security software in order to perform their job)
- regular usage of removable media wil become a real pain
So hopefully the community will finde more arguments fo or against this kind of option.
Feel free to comment my post :-) maybe you will be able to change my point of view