Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 4063 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

On Access Scanning - Servers

dan dunn

Hi, in this Sophos KB here - https://community.sophos.com/kb/en-us/114345

It mentions that On access scanning should be enabled.

In the past our IT provider has mentioned that on access scanning should be disabled on servers (with a weekly scan setup) and PCs should have on access scanning enabled

With the different ransomware attacks I am nervous that if there was an device infected (for example a laptop which didnt have up to date AV)

Because on access scanning is disabled would the ransomware encrypt the servers without detection if on access scanning is disabled?

Is on access scanning something we should turn on for servers?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hello dan dunn,

    on access scanning should be disabled on servers (with a weekly scan setup)
    once in a while I have to talk to some freelance computer expert or a specialized equipment retailer's technician who seems to think what they#ve learned about AV in the 1990s is all there is to know, INT 13 is the biggest threat, scanning means rummaging through a file until you find a telltale string, and best practice is still what it was then.

    Arguably if all endpoints are reliably protected and "nothing" is ever downloaded, imported, executed on the server itself the potential double scan (note this applies to files written, files only read are not rescanned on the server) is superfluous. Interestingly the discussion stops whenever a claim is made that AV consumes too much resources and I ask for hard numbers.

    Now, ransomware on a client would encrypt the files it can write to, this should be only (writable) data on the share but not the server's files - bad enough. Traditional AV wouldn't be able to prevent this, Intercept X claims to be able to detect such an attack. As the recent Wanna has again shown attacks on the server from the outside are not impossible (remember Blaster?). There's a chance though that (even traditional) AV detects one of the precursors or initial actions of the final payload.
    And with roaming/mobile devices and BYOD you never know about the state of AV on the client, so ...

    Just my two cents

    Christian

Reply
  • 0

    Hello dan dunn,

    on access scanning should be disabled on servers (with a weekly scan setup)
    once in a while I have to talk to some freelance computer expert or a specialized equipment retailer's technician who seems to think what they#ve learned about AV in the 1990s is all there is to know, INT 13 is the biggest threat, scanning means rummaging through a file until you find a telltale string, and best practice is still what it was then.

    Arguably if all endpoints are reliably protected and "nothing" is ever downloaded, imported, executed on the server itself the potential double scan (note this applies to files written, files only read are not rescanned on the server) is superfluous. Interestingly the discussion stops whenever a claim is made that AV consumes too much resources and I ask for hard numbers.

    Now, ransomware on a client would encrypt the files it can write to, this should be only (writable) data on the share but not the server's files - bad enough. Traditional AV wouldn't be able to prevent this, Intercept X claims to be able to detect such an attack. As the recent Wanna has again shown attacks on the server from the outside are not impossible (remember Blaster?). There's a chance though that (even traditional) AV detects one of the precursors or initial actions of the final payload.
    And with roaming/mobile devices and BYOD you never know about the state of AV on the client, so ...

    Just my two cents

    Christian

Children
No Data
Unfiltered HTML