Yusuf On SecuritySecurity news, opinion and advice

Schedule scan, what it is and when to use it

Lets look into the basics of schedule scan also known as on-demand scan (this includes right-click scan). In the days when endpoint relied on anti-virus alone, schedule scan played a critical role in complementing the real-time scan also known as on-access scan. The real time scan is the guard on the tower overseeing anything that moves. Schedule scan however is the guy in patrol doing the rounds, turning the knobs, making sure no one is hiding behind the bushes.

Schedule scan is broadly used for three purposes: 

– You use schedule scan when you first introduce a new AV product to your environment, 

– You use when you want to scan the machines with the new definition(s) released since the last full scan

– You use it when the real-time scan tells you to do so as it cannot delete the remnant of a fragmented piece of malware. 

The rules, features and mechanism to scan a machine was limited to few things in the early days. The scan relied mostly on identity files (i.e. signatures) and therefore was fast and less resource intensive. Perhaps that was enough as the attacks of those days were not as advanced as they are today. Today malware are much more complex, stubborn and multi-staged (command and control servers).

Fast forward a decade and half and it is agreed that schedule scan is still relevant but to a lesser degree. 

Today there are a myriad of mechanisms used, all in tandem to unearth anything dormant in the machine. The efficacy of real-time scanner is superior as the problem of malware are tackled from many front: today real-time scan use AV signature, AI, fussy finger printing, Indication of Compromise(IOC) feeds, global feed from DNS security, feeds from dynamic analysis system, Retrospection Analysis, Custom rule detection if you have set this up, Malware Activity Protection, Exploit Prevention and much more.

This is because the detection mechanism of real-time scan has impressively improved. We no longer rely on AV definition alone. The data available to create intelligence and therefore decisive action is abundant today.

Remember security is based on three principles: technology, people and process. It is important to put the process right. It is recommended that a schedule scan to be well managed and scheduled during non-business hours. If your scan is currently set to kick off within business hours and on say on a Monday. Mostly people are busily using their machines throughout the day but more so at the beginning of the week such as on a Monday or Tuesday. 

When I talk to endpoint security teams and ask about their baseline often the one thing that stands out is the schedule scan timing. Schedule scans are inheritably resource intensive these days. As such it is industry standard to scan endpoints during non-business hours.

Author
Yusuf
Join the discussion

Further reading

What will it take?

A great piece on what it will take to improve the safety of the connected world. Read it here.

Extended detection and response (XDR)

Extended detection and response (XDR) captures threat data from previously isolated security tools throughout the organizations tech stack to enable...

Log4j Vulnerabilities

Towards the end of November, a researcher from Alibaba discovered a fault (CVE-2021-44228) in a well known open-source logging library called...