On 09/14/2011 09:20 AM, Dan wrote:
At 12:36 PM -0400 9/13/2011, Bryan Burke wrote:
> Noone has suggested "maximum". The issue is that the mirrors are so
overloaded that it's often taking freshclam an excessive amount of
time to do its thing, because of the time-outs / connection
failures. No big deal if it's the update run in the background. But
if it's on-demand update preceding a user-driven scan, it's making
the user sit there, twiddling its thumbs, for up to a minute or two.
I do not recommend my users do their own scans. My recommendation is for
scans to be scheduled to run during downtime such as at night or weekends.
Are we really having this protracted discussion, because we don't
want someone to have to sit for "up to a minute or two"?
This problem seems overstated. I mean, are we talking about on-demand
scans perhaps a dozen or more times per day, every day? i.e. is this
adding up to hours of lost time every week? If so, is it really such
a problem to have a database that is *at most* 2 hours out-of-date
(the default)? Do you need to do an update before *every* on-demand
scan? And why can't that be solved (if it is, in fact, an issue) by
increasing the check frequency to, say, every hour?
Is it appropriate to ever do a scan against an outdated database? I've
been told time and again never to do that!
This depends on whether it is an "on-demand" scan. If I have my AV set
to do on-demand scanning (which I do have enabled for Windows because of
the over whelming preference of virus writers to target Windows) then I
ABSOLUTELY do not want the signatures to be updated everytime a scan is
done. My Internet connection and the update servers would be overwhelmed
by such aggressive updating I would think it would be considered an attack.
On the other hand, if I suspect I have downloaded an infected file
whether it be from the Internet, removable media, or LAN, then yes, I
normally would want to be sure I had the latest signatures. Now this
often involves a download to some other computer and a manual copy to
the suspect computer as the first thing I do when I truly suspect I have
managed to infect a system is to isolate it so it does not try and
infect the rest of my network or worse start sending out replications
tarnishing my reputation.
In the case of "routine" scheduled scans of file systems, yes, I do not
preferentially care if the signatures are several hours old. These scans
are to see if there is a file that was not noted as "infected" earlier
and is a preventative scan. If something suspicious turns up, then the
previous paragraph applies.
When a user launches their anti-virus app, they're going to want to
check to see that their definitions are up-to-date. (I would argue
that any app that doesn't force the update check by default is poorly
designed). If that step takes a minute, instead of a few seconds,
then the app becomes painful to use -- making them less likely to do
scans in the future. Not good. Wanna make it worse? Put the user on
a time-metered network connection!
As for overstated... People that are both busy and security conscious
tend to run quite a few scans per day. If each one halts their work
for minutes... Or even if 1000 users have to wait that one minute
just twice a day... then that's many hours wasted. And how many
ClamAV users are there? (By "user", in this context, I mean human at
a desktop or laptop).
"*at most* 2 hours". Are you saying that freshclam should *always* be
run in the background every hour or two *by everyone*, not just on
servers? Can the current mirror infrastructure handle that?
The answer on this is yes, every user should be updating their
signatures every 2 hours which is why it is the freshclam default. If it
is a work environment, then they should consider a local proxy server
for the signatures to help reduce load on the mirrors. The mirrors
should be scaled (and I believe they are) to handle a majority of the
users to be directly downloading their own signatures. If they are
security conscious then they should run them every hour.
Currently, as a user app, ClamXav only runs freshclam in the
background once per day, if the user enables such, but I'm sure we
could get the author (Mark) to enhance its scheduling preferences. No
big deal, IF that's the right thing to do. But even then... shouldn't
every on-demand scan first do an update anyway??? (Running the update
once per day isn't my fav design choice. Back in the day, when there
were virtually no malwares for Mac OS X, I didn't have a problem with
that. But these days, I think it needs to be fixed. Not an issue for
this forum tho).
Yes, ClamXav should have an easy to set preference to set the schedule.
ClamXav is the first AV I have ever used where the user could not easily
set the update schedule.
The biggest danger is "zero hour" infections and running updates once a
day is practically as bad as not bothering to run updates at all. Now as
mitigating factor, the number of OS X viri and worms are low, malware on
the other hand is not so much platform specific and is a bigger threat
if less harmful (except for phishing).
--
Jim Preston
jimli...@commspeed.net
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
