A question for my fellow IT peeps out there

What schedule, if any, do you use for running Antivirus and malware scans on your desktop PCs? I want to get an idea of what the best practice is. Currently, we are running AV scans every Tuesday and Thursday at lunchtime and a malware scan at lunchtime on Wednesdays. I personally think this is a tad bit excessive but am not sure what others do.

The problem is that the scans crush our older PCs here pretty hardcore and our call center is starting to complain of sluggishness during the scans. After hour scans are pretty much out since our CIO doesn't want the desktop PCs to be running after hours when nobody is there. I am either going to have to cut back on scan frequency or look into a technology refresh for our desktop PCs in some of the departments.

SnowDragon 17 years ago

Working as a systems administrator we had the very same issues. We finally broke down over time and have purchased several items that work extremely well. (sometimes a little too well, but we have our security settings pretty tight)

Unfortunately cost may be an issue here with your company depending on size, etc.. but we have laws that we have federal laws that we have to follow so it cannot be avoided. Here is a break down of what we use and understand that it is basically a triple protection against everything.

First off we do not have antivirus or anti malware/spyware on any of our workstations. We use all of our software at the firewall level before it hits our main production servers. I can do a demographic for you if that is required because although it may be simply done it can be a little confusing without seeing it firsthand.

First we have our firewall. From there it hits a sever that runs "interscan" (made by Trend Micro) which can be configured with many rules as to what to block. This covers not only viruses but also other things such as disgruntled employees emails and such. Then it hits a program called "proofpoint" this kills all spam. And I literally mean all spam and anything else you want to restrict. Then most of all we have this program called "Sanctuary" Made by Securewave. This neat little program if configured correctly can block any spyware or viruses or malware or stupid little toolbars on your internet explorer from being activates. Basically it runs opposite from a black list. It is a whitelist program that allows you to create a whitelist of those things that are acceptable and everything else is not. You can configure it to allow certain people access to approve if something can be installed. I mean this program blocks all the way down to .dll's and such. For instance.. on your initial scan of a computer you did not have windows media installed. Well MR.Supervisor needs to watch his daily family guy clip but when he clicks on it he gets an error. So he calls you and kindly informs you that he is going to start firing people if he can't watch his family guy. You can grant him access a couple of ways. First you can be real nice and put him in non blocking mode and he will be prompted to install each little item. You can uninstall the program thereby eliminating that all together but then he can download anything he wants. Or better yet you can associate the file with a group and either allow everyone access to it or you can assign certain people to that group that can have that installed. (Example 2) Now for instance someone has a toolbar that gives them the latest recipes and tracks what web sites they go to etc.. well if that program was not on the approved list when you set it up then even though they have it already installed on their computer it will deny access to that program. You can have it inform the person that it denies them or you can have it work silently so it doesn’t work. It also has a hardware list as well but you can read up on it if it sounds of interest to you. I do recommend all of these programs even though some of them can get a little hefty in the pocket book. We have been running them for sometime and have not seen a single virus or malware/spyware issue. And best yet we don’t have to do any maintenance on the computers. All we have to do is update the software at a server level.

You can google every one of those programs. Or ask me if you want more information. No I dont sell this stuff and I get no commission or anything like that.

By my hubby

Mylec 17 years ago
We do have some similarities to our setup. We have Cisco PIX boxes (firewalls) on the edges of our network. We also have Surf Control's product line. We have their Web filter piece and their Email filter piece already up and running, and are going to implement the Threat Management piece (malware) soon. We use CA's Internet Threat Management software, which consists of ETrust AntiVirus and ETrust Pest Patrol, on all our desktops. It is a server managed setup, where we can push installs out to the desktop and configure them from the server, as well as set up scheduled jobs to run across all machines or certain PCs. We do not have any endpoint security in place at this time at the desktop level, but we are in the process of purchasing a product called Device Wall, which is also a policy based product (works with AD) to control all physical ports on the PCs. It is actually pretty cheap (about 28 bucks per seat if I remember right) and is better than what some companies do. I have heard of some that actually put glue or poxy into the USB ports on the desktop machines to prevent people from being able to use their USB drives or I-Pods lol.

Personally, I think we are pretty damn secure (nobody is perfect), not to mention that the AV product already scans all incoming and outgoing files from a machine in real time. I would just hate to cut back on scans and have something get through that crushes our network. I think that is probably what we will end up doing, though, at least until I can budget to replace the PCs in our call center. I have already heard back from some other people I know in the field that say they never run scan jobs unless a PC starts showing signs of being infected.
Temprah 17 years ago
I'm no IT but I just wanted to say I know that my company runs a Symantic AV system scan once a week during scheduled lunch time (I am usually working thru so I snooze it hourly until I leave and just leave my machine on) We're a pretty big company and what I understand is that is how all the different business units handle it. Everything is done firewall side like you mentioned so we users never see anything except a scan notice in our emails sometimes and then the weekly one run on each desktop. And yeah that scan does slow it to a major crawl and we don't use extremely old / outdated machines IMO.