Create Real-Time Monitoring Policy
Real-time monitoring policies can be assigned to endpoints or groups and provide protection every time a file is opened or executed. There are a number of default policy settings as shown below and these should be left unchanged unless there is a specific reason to select alternative settings.
Scanning Options
When a virus is detected, the default behavior is to attempt to clean the file but, if the AntiVirus engine is unable to clean it, to move it into quarantine for further action. Other actions can be selected including:
- Perform no action
- Attempt to clean then delete
- Attempt to clean then quarantine then delete
The option to perform no action might be selected to prevent critical files from being moved to quarantine which might render the system unusable. In such cases, an alert would be sent up to the server. This option should only be selected if there are processes in place to deal with alerts immediately when they are created as otherwise the malware will be allowed to operate unhindered and spread to other endpoints in your network.
The default option of “Clean then Quarantine” is designed to prevent the file from executing if it cannot be cleaned by placing it in a protected quarantine folder. This is also useful in terms of locating a sample of the file for further analysis, for example, in the case that it is a suspected false positive. In the event that such analysis is not required, it is possible to select either of the “Delete” options which will cause the file to be deleted if the AntiVirus engine is unable to clean it or quarantine it. However, note that, in the event that the file is incorrectly identified as malware (i.e. a false positive) and the file has been deleted, it can no longer be restored.
Local Users/Services and Remote Users
Files are treated differently for scanning purposes depending on whether the file action was initiated by a local or remote user. A local user is any file interaction that happens on the local machine in the local user context. A service running on the local machine is considered to be a local user. Remote user is anything which is initiated externally. Connections via RDP, Citrix, Terminal services are considered to be remote users.
In the case of local users, the default behavior is to scan files when they are read or executed. For remote users, the default behavior is to scan when the remote user or service is writing to the file to ensure that they are not adding malware to the system.
In the case of a malware outbreak, changing the settings to “scan on both read/execute and write” will provide a greater level of protection. However, note that it also increases the performance impact associated with AntiVirus scans.