On-access scan on writing only

Short question: do you expect, or is there, a loss of security by configuring an AV on-access scanner to check on writing only?

Avira for example offers to check on

• reading
  
• writing
  
• reading and writing

Comments?

The most complete protection would be to scan on reading and writing. However, checking on writing only is arguably sufficient since the AV should catch the malware before it does any harm. Scanning on reading has the advantage that malware is detected even before execution.

ssj100 wrote:The most complete protection would be to scan on reading and writing.

Of course.

ssj100 wrote:However, checking on writing only is arguably sufficient since the AV should catch the malware before it does any harm.

This and as there are more files read than written scanning on writing only should be lead to a faster system response. And, this mode avoids a re-scan of the same files on every start.

ssj100 wrote:Scanning on reading has the advantage that malware is detected even before execution.

Therefore scanning on writing should only be used on a clean system.

Ok, you had the same thoughts like me.

Yes sounds about right Ruhe. To sum up, back when I used Avira, I set it to "Scan on Writing".

Ruhe wrote:Short question: do you expect, or is there, a loss of security by configuring an AV on-access scanner to check on writing only?

Configuring an AV scanner to check on writing only you improve scanning speed but there is a loss of security.

Not all malwares write to disk. Let´s take as example a backdoor. When you run the backdoor it will open a port in your computer and it will wait for incoming connections but nothing will be written to disk.

Of course, there are backdoors that write something to disk, but that´s not really required, so the backdoor could be running and the AV would miss it.

@Backdoor: that's a good hint. Thanks.

In the meantime I run Avira with scanning on reading+writing again.

If you care about system resources then the better solution is this:

Main protection layer:

+ Anti-Executable technology preventing that nothing runs without your permission.

+ Sandboxie for a secure browsing.

Additional protection:

+ AV products to scan suspicious files that you must run.

A good solution in this case is Virus Total because you can check with lots of AV engines and it´s not resource consuming as they are not installed in your system.

+ A behavioural analysis tool like Buster Sandbox Analyzer.

Zero day malwares may be undetected by AV products but a behavioural analyzer may detect it.

All the above almost doesn´t consume any system resources.

In fact, I don't have a problem with insufficient system resources or speed, but a system is never fast enough

Intel Core i7 920 (4x 2.66 GHz), Intel X25-M G2 Postville as SSD

I have a Core i7 920 too, but mine has 8 cores.

Yes, sometimes is not a problem of resources but more security programs installed don´t necessarily mean more protection. The setup I just commented is more effective than other having Hitman Pro, MBAM, A-Squared, etc, etc, etc.

Buster_BSA wrote:I have a Core i7 920 too, but mine has 8 cores

Offtopic, but the 920 has 4 cores / 8 threads

Cores and threads go hand in hand. Multi-core processors are single chips that contain two or more distinct processors or execution cores in the same integrated circuit. Multi-threading allows each core to work on two tasks at once, thereby letting you do more things simultaneously, producing faster, more efficient results. Now your computer can keep up with even your heaviest multitasking. Source: http://www.intel.com/consumer/products/processors/corei7-specs.htm#2

I thought it had 8 cores. Thanks for the correction!

Wow, very good point Buster. I never thought of malware that simply open Ports and never actually write on to the system.

Buster_BSA wrote:Main protection layer:

+ Anti-Executable technology preventing that nothing runs without your permission.

+ Sandboxie for a secure browsing.

Additional protection:

+ AV products to scan suspicious files that you must run.

Spot on. That sounds identical to the security setup/approach that I've been practising since late 2009.

With regards to having high-end hardware, I think to some extent it doesn't really make a difference when it comes to noticeable slow-downs on your system. From my experience, if eg. an antivirus program is "heavy", it will always (relatively) slow down your system no matter what hardware you have.