Do you still need to run scheduled virus scans on machines protected by antivirus packages?

A fellow IT pro said that you should never need to run a virus scan on a PC because most antivirus packages scan the system in real time anyway. Blogger Brad Bird responds to this assumption.

While it is true that the antivirus packages will scan most files against known conditions established by the most currently installed signatures, they do not "scan" the file system in real time. The file system is effectively monitored for accesses and file manipulations done in a way that the antivirus program considers to be a threat.

Okay, let's analyze these facts. I have attended several conferences on IT security and read more than my fair share of reference material on hacking and forensic techniques to protect computers from intrusion. While there is no gospel on this subject, most IT pros that I know, who have a fair amount of exposure in these topics, agree that no one antispam or antivirus product can catch everything.

For example, I am not picking on Symantec specifically, nor will I cite a precise example, but this issue actually happened. The antivirus had current signatures to within a few hours. The server was patched to the most current critical and recommended updates. Yet, there was suspiciously high memory usage on the server in question. It was only upon scrutinizing with Process Explorer from Systinternals, PsList (also from Sysinternals) Netstat, Task Manager, a remote UNC file connection, and a remote port scanner that I was able to confirm that there was an intrusion attempt in progress.

The server had been patched only after a 16-hour time period when a known exploited vulnerability had been published. Through this pin hole, an elevation of privilege attack had occurred. Then a hack tool was installed and a root kit planted.

The root kit hid registry keys, processes, and files from view. Once it was discovered, it was removed easily enough with known tools.

However, other problems were left behind (this was confirmed by file date stamps and checking backups) resulting in another trojan — which the AV supposedly knew about and cleaned — had hold of the machine. This is where the interesting part comes in. The trojan was not actually cleaned. There was human error in that the logs were not scrutinized to confirm that the clean attempt actually failed. This trojan was not the same iteration displayed in the AV package. As the server was being monitored using filemon, psexplorer watching threads, and Netstat, the original infection had remained.

A copy was submitted to the AV vendor anonymously and within a couple of hours, a rapid release was put out which would catch the file in real-time protection. The AV vendor said it was the same iteration of a known virus, but a programmer from a competing vendor cited the mutation differences.

While this was happening, another system was infected so the same process was used to monitor it. A real time scan was performed before the rapid release came out, and the file was quarantined successfully.

Clearly, the AV companies are doing their best to update their documentation precisely as information is put out, but the solution is critical and usually gets published faster. In part, this is likely why vendors accept anonymous file submissions — to help keep in check with viruses in the wild.

My point is just to say that the real-time AV scan does not catch everything. To be honest, a scheduled scan could miss a virus as well, but if a file has similar symptoms to a known virus, it may still have additional hidden code or functionality which can hide it from current real-time scanners.

So my answer to the questions is YES — scheduled scans on PCs would be highly recommended as part of your defense-in-depth strategy against spyware, malware, trojans, and viruses.

Brad Bird is an IT consultant in Ottawa, Canada. He specializes in Windows systems, security, and network administration. You can find more of Brad's blogs at Rantings of an IT Pirate.

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!


Brad Bird is a lead technical consultant and MCT certified trainer based in Ottawa, ON. He works with large organizations, helping them architect, implement, configure, and customize System Center technologies, integrating them into their business pr...

Editor's Picks