1 of 1 people found this helpful
There isn't, as far as I'm aware. Nor am I certain that this would be a good idea.
Yes, the intention is good, but consider the following (pretty likely) scenario.
1 - "Joe Six Pack" checks e-mail.
2 - One of a multitude of sources sends an infected e-mail / binary that either hadn't been detected on the e-mail server, or it was a password-protected archive ... or even just a file downloaded.
3 - This file is run.
4 - AV's real-time scanner detects it, and goes "bang" - reboots the machine (loosing anything the poor fellow had open), and running a full scan.
The full scans usually make more sense (to me) to be run at a specific day/time (Friday in particular being a good one), since the AV will prevent the execution of infected files, even if the real-time AV can't clean it for whatever reason (but the full-scan engine can)?
I'm tentatively thinking of a "good intentions potentially bringing down the sky" scenario just presenting itself with this trail of thinking.
Hope this helps a bit .
- Paul Hoffmann
LANDesk EMEA Technical Lead
Thanks for the reply Paul. In some instances I have seen where real time fails to quarantine an infected file but by running a full system scan, it takes care of it. I have also run into where the full scan also isn't able to clean it. I guess part of my thinking was that some AV engines will initiate a scan at boot up when a virus is detected in an attempt to clean the virus before it has a chance to load itself back into memory. This I would assume is based on the virus and what is required to successfully clean it. I am not sure if Kaspersky engine ever does this.
With regards to the reboot or scan, I would hope to be able to control the behavior just as you do in the scan and repair settings to avoid unexpectingly kicking a user off thier system etc. We do have a have a full scan scheduled to run every Sunday but with PCI requirements, we need to remediate the infection as quickly as they are detected.
I do have a scheduled query that runs everyday that basically shows me any systems that have infected files. I was toying with the idea of being able to initiate a scan based on this query but it wouldn't be realtime, just at the time of the scheduled query. I am not sure if this is feasable though.
As Paul said there are a number of reasons this may not be a good idea, however you can have a full scan automatically trigger using the Alerting module.
In alerting configure an action for Run On Client. Make the action:
c:\program files\landesk\ldclient\antivirus\ldav.exe /scancomputer
Add that action to an Antivirus alert such as Infected Item Quarantine Failed.
Push out the resulting ruleset.
One downside is that when an event such as an infection not being quarantined occurs you can have several such events at once (i.e., one virus can equal several files quarantined or unquarantined). However, in my limited testing only the first scan will run and subsequently triggered scans will nicely fail. So on a practical level this is not an issue.
I would tend to agree with Paul that this approach could be considered rather heavy by end users but you could use a similar method that (rather than triggering an A/V scan) generates an e-mail to your ServiceDesk product that auto-assigns to someone with authority to decide when/if a full scan gets scheduled. This would give you tracking for auditors and still automate much of the response.
Ah yes - brain fart on my part, can just throw a command-line back at the client. Thank you for the correction PK .
I too have seen the real-time components sometimes be unable to clean viruses (though this isn't limited to our own AV, I've seen similar things on SAV and Avast, which I've played with some as well) - think it has something to do with the different approaches real-time components as opposed to full scans do.
One BIG reason why a "full scan" can't remove a virus by the way that's often forgotten is restore points. If Restore Points are enabled in the OS, it's possible for the virus to have a "safe" area that the AV-engine CANNOT get to (I suspect it's one of those "good intentions gone awry" once again situations), so in such cases it's definitively worth turning them off (at least for the duration of the scan).
Then there's just plainly so stubborn viruses that they can be detected, but are a real pain to kill. The best approach there seems to still be to shut down the PC, and simply run an AV scan on the hard-drive from another system (so that nothing is in use / initialised). Painful, but I've seen situations where this was needed in the past where this was needed. Whether this is down to sophistication of the virus or something to do with the respective AV product is anyone's guess - just trying to give practical experience/advice here .
- Paul Hoffmann
LANDesk EMEA Technical Lead