Preparing to Scan
As is the case with many capable software products, Powertech Antivirus can occupy excessive system resources if care is not taken during deployment. In this section, you will learn the key concepts needed to plan the most appropriate scanning approach for your environment.
In this section you will learn:
- An overview of Powertech Antivirus' two scanning methods: On-Demand and On-Access.
- How to target potential threats
- Tuning parameters and configuration methods that can be used to limit resource consumption
On-Demand vs. On-Access scanning
Powertech Antivirus' two scanning methods can be used separately or in tandem to address all potential threats on your systems.
Using On-Demand Scanning
On-Demand scanning is run ‘on-demand’, that is, when started manually, or when scheduled.
This can be done in a few ways:
- Invoking the avscan command from the command line on the Unix endpoint.
- Invoking the avscan command in a scheduler (such as cron) on the Unix endpoint.
- Invoking the On-Demand Scan options using the Insite web browser console.
In order to run an On-Demand scan from the command line or from a scheduler, you must pass the configuration for the scan using the parameters of the command. (See avscan command.)
In order to run an On-Demand scan from Insite, you must:
- Open Insite and create an On-Demand Configuration.
- On the Endpoints screen, for an endpoint, check the endpoint and choose Run Scan.
- In the Run Scan screen, choose the Configuration and then Save and Run or Run.
Using On-Access Scanning
On-access scanning is ‘real-time’ scanning. Essentially, you set a configuration that includes several directories that you wish to continually scan. You can then decide whether to scan when a file is opened or when a file is opened and closed. This runs continually as a service.
When applications open files that require scanning, there is a delay while the system completes the scan. For most files, the scanning takes only a fraction of a second. However, large files, archive files, and compressed files can take several seconds or minutes. Once a file has been scanned by the on-access service, the scan result is stored in a cache for the file system if the file system cache has been enabled for the service. The cache is consulted the next time the file is accessed, and if it has not been modified, it will not require scanning again and access will be faster. The cache is cleared completely upon on-access service exit, update of virus definitions, or significant changes to service configuration. Individual items in the cache are also subject to size and time-to-live constraints and are configured in the service configuration. Archive scanning takes additional CPU resources and can be disabled. Please note many viruses come in the form of .zip archive files.
On-Access scanning can be configured locally (on the UNIX endpoint) or using Insite.
Local configuration
Set the [avsvc] stanza in the config.ini file located in /opt/sgav
[avsvc] is only for the on-access scan service. If you change the defaults in here, you must reload or restart the avsvc service depending on which default has been changed.
Insite configuration
You can create an on-access configuration within Insite and deploy it to the Unix endpoint. When you change the configuration in Insite, the config.ini file is overwritten on the target Unix endpoint and the service is reloaded. You can only have one on-access configuration running at any one time.
What should I scan?
As a Unix system administrator, you should know your own systems. If you don’t know what filesystems are used for in your Unix system, then you should educate yourself and find out. Helpsystems cannot tell you what and what not to scan, we can only provide guidelines.