We are finding it difficult to catch all of our End Points in a scheduled scan. I have tried to adjust the times based on peoples shift, and create daily scans to try to scan those end points that still show as "never scanned".
We have also seen an increase in performance related issues with Macs when the scan kicks in.
the question I have today and trying to gauge what industry peers are doing, is if we have Real Time Scanning turned on and scanning everything in real time, it necessary to have scheduled scans turned on too? If some machines are not being scanned anyway, is there anything to gain by having scheduled scans turned on at all.
It is an interesting question and probably a risk/reward trade off based on the environment and the role of the device.
It's worth noting that the Windows endpoint performs a background scan regardless of a scheduled scan being run. The reg values for it are here:HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\EndpointDefense\BackgroundScanV2
There is the case where you might exclude a file/dir for realtime-scanning for performance. It could be nice to scan the file on demand at certain times. I suppose this is the reason exclusions let you choose what scan type it applies to.
From the UI:
There is an option to run scan inside archives and to scan all files for scheduled. Realtime scanning doesn't scan inside archives but then you might just detect something sooner?
Maybe if you have a file server, it would be nice to know it wasn't harbouring and sharing malicious files insider archives that an unprotected client could access, unpack and launch. That said on a file server, scanning all files including archives could take a very long time. To scan just archive files on a file server to fill the gap, I guess you'd have to get quite creating with exclusions as there isn't a "just scan these files" option.