We are currently running endpoint security 9.5 and are slowing modifying it to suit our environment.
Can someone explain the pros and cons for enabling auto cleanup under "On-Access scan settings"? Are there any cons?
Thanks in advance.
Jason.
Hello munta,
I am very weary to apply anything in production without being very sure the results won't be disastrous
well, I won't hide the fact that there's always a slight chance of false positives (guess every vendor could tell a story or two) - and in the worst case it could cripple a computer (it has happened). If the false positive results in a vital system file to be deleted the machines nevertheless usually continue to run, only a subsequent reboot will fail (that's why most AV products don't kill running processes). As long as the machines run you can remediate the problem. Of course if this happens overnight when you wake up your machines to apply updates and reboot them ... OTOH, the last time something like this has happened it didn't make big headlines. As many software updates can cause similar issues you should be prepared anyway.
Thus if you are very weary just run with Deny access only for some time. Or maybe use this setting on one part of your network and automatic cleanup on the other to have a comparison. As they say: YMMV :smileywink:
Some words to scanning for suspicious files and behaviour monitoring: Although it has a higher risk of false positives it is very useful for dealing with new or changing threats like FakeAV. Malicious and suspicious behaviour always results in at most blocking and for suspicious files you'd just use Deny access only (there were two or three times when we switched to Delete for the administration's network as some (otherwise reputable) sites frequently accessed by our users obviously have been poisoned with links to FakeAV).
What Clean-up does depends on the nature of the threat: Malicious files are deleted, if necessary the clean-up hunts for related files and changes to the environment (e.g. registry and start-up items). Note that it this is not a total clean-up (e.g. when the original values of registry keys are not known no action is taken; keys which have no effective function once an executable is deleted are sometimes left). In case of changed files (PE infectors, macro viruses) clean-up tries to revert the changes and removes the injected code from the executable or document.
I hope all this is of some use
Christian
Hello munta,
I am very weary to apply anything in production without being very sure the results won't be disastrous
well, I won't hide the fact that there's always a slight chance of false positives (guess every vendor could tell a story or two) - and in the worst case it could cripple a computer (it has happened). If the false positive results in a vital system file to be deleted the machines nevertheless usually continue to run, only a subsequent reboot will fail (that's why most AV products don't kill running processes). As long as the machines run you can remediate the problem. Of course if this happens overnight when you wake up your machines to apply updates and reboot them ... OTOH, the last time something like this has happened it didn't make big headlines. As many software updates can cause similar issues you should be prepared anyway.
Thus if you are very weary just run with Deny access only for some time. Or maybe use this setting on one part of your network and automatic cleanup on the other to have a comparison. As they say: YMMV :smileywink:
Some words to scanning for suspicious files and behaviour monitoring: Although it has a higher risk of false positives it is very useful for dealing with new or changing threats like FakeAV. Malicious and suspicious behaviour always results in at most blocking and for suspicious files you'd just use Deny access only (there were two or three times when we switched to Delete for the administration's network as some (otherwise reputable) sites frequently accessed by our users obviously have been poisoned with links to FakeAV).
What Clean-up does depends on the nature of the threat: Malicious files are deleted, if necessary the clean-up hunts for related files and changes to the environment (e.g. registry and start-up items). Note that it this is not a total clean-up (e.g. when the original values of registry keys are not known no action is taken; keys which have no effective function once an executable is deleted are sometimes left). In case of changed files (PE infectors, macro viruses) clean-up tries to revert the changes and removes the injected code from the executable or document.
I hope all this is of some use
Christian
