This article provides you with best practices to configure scheduled on-demand scan (ODS) tasks.
There are two different approaches that you can use when scheduling -
Policy-Based and
Custom on-demand scan client tasks. As a best practice, perform the following:
- Use Policy-Based scans to configure regular weekly and daily scan tasks.
- Use Custom scans when supplemental scans are needed with unique configurations of scan location targeting or scheduling.
Below is more information about each type of scan:
- Policy-Based scan tasks - Schedule this type of scan using the "ODS - Full Scan" and "ODS - Quick Scan" default client tasks provided when the ENS or VSE ePO extensions are checked in. These client tasks allow the configuration of scheduling parameters such as timing and randomization. But, the scan behavior itself is defined from the ODS policy assigned to the endpoint. To change the configuration of scan locations for this type of task, modify the policy at Policy Catalog, Endpoint Security Threat Prevention, On-Demand Scan. Then, assign the policies to endpoints, and their settings are honored when the task is scheduled. The client task determines the settings on each policy tab (Quick Scan or Full Scan) used to schedule the scan. Policy changes reflect in real time on the endpoint for scan configurations.
- Custom scan tasks - Unlike Policy-Based scan tasks, a Custom scan doesn't reference the policy assigned to the endpoint when executing its scan. Instead, all scan parameters (for example, scan locations and performance configurations), scheduling, and randomization are contained entirely in the task configuration itself. Changes to the scan behavior don't reflect at the endpoint until the next time the task is scheduled to run. Custom scans don't report information for the ePO Product Properties page, including values such as "Date of last full scan" and "Date of last quick scan." Configure Custom scans through the Client Tasks, Endpoint Security Threat Prevention, New Task, Custom On-Demand Scan workflow in ePO.
NOTE: For custom scan tasks, if you reboot the system during the ODS, the scan doesn't resume after the system is booted.
The ODS configuration is a two-stage process:
Configure what locations to scan and
schedule how often to scan. To decide how to configure the on-demand scanner, break down the scan targets to minimize the data scanned:
- Configure daily memory ODSs as part of your essential protection - A daily scan of Memory for rootkits and Running processes finishes quickly, with virtually no impact on the users. This result serves as an early warning indicating that something suspicious is present. Immediately perform a full ODS on any system with a detection from this daily scan.
- Configure active user ODSs, and include the following scan locations - These scan locations are frequent targets of malware attacks. Scan these locations at least weekly or even daily:
- User profile folder
- Temp folder
- Registry
- Registered files
- Windows folder
- Configure regular full ODSs as part of your essential protection - At a minimum, include the following settings for regular ODSs:
- Default locations:
- Memory for rootkits
- Running processes
- All local drives
- Registry
- Scan options:
- Scan subfolders
- Boot sectors
- We strongly recommend that you schedule ODSs at these intervals:
- Daily - During a major malware outbreak
- Weekly - Provides good protection
- Monthly - Decent protection, with risk
In addition, configure the following ODS settings according to your needs:
- Enable the scan cache - The scanner maintains a cache of previously scanned files even through restarts of the computer. This setting improves performance by using the existing scan results to determine whether files need to be scanned. Clean files are added to the clean file scan cache. On the next file access, the files aren't scanned if they're in the cache or are unchanged since the last scan. Configure the option Use the scan cache in the ODS policy.
- Configure system utilization - The system utilization setting maps to Windows Priority Control. This setting allows the operating system to control the amount of CPU time that the scanner receives during the scan. If other higher priority tasks request CPU, the operating system takes CPU time away from the on-demand scan (scan32.exe) and assigns it to the other tasks. When the other tasks no longer require as much CPU, the operating system gives CPU time back to scan32.exe. Configure the option System utilization in the ODS policy.
Configure the system utilization depending on the type of activity normally performed on the system. For more information about how this feature works, see KB55145 - Understanding on-demand scan performance settings.
NOTE: Setting the system utilization too low can cause your scan to take up to twice as long.
|
|
Priority |
| Low |
For systems with above average user activity. Provides improved performance for other running applications. |
| Below Normal |
For systems with typical user activity, such as personal computers or laptops. |
| Normal |
For systems with little or no user activity, or with no applications providing user services. In other words, the scan runs at a time when nobody uses the system. |
- Scan only when the system is idle - ENS can detect when users are present and active on a system. ENS can pause scans accordingly to prevent conflicting resource usage. This option uses multiple considerations to determine whether a system is being actively used, such as mouse or keyboard input, disk I/O, and more. This feature isn't recommended for servers, as they can have naturally higher background resource usage. But, this option can be useful on endpoints that have reliable downtime outside of the user's working hours. This option doesn't throttle resource consumption when scans are running. This option adheres to the configured "System Utilization" options provided by the ODS task or policy used to run the scan.
- Limit Maximum CPU Usage - This option allows administrators to define a threshold of CPU usage % that ENS refrains from exceeding while scans are running. For example, if you set Limit Maximum CPU Usage to 25%, ENS tries to keep the mcshield.exe process handling the scan at a maximum of that value, except when entering critical actions such as scanning inside archives. This option is available in ENS 10.7.0, and can be selected when the "Scan Anytime" option is selected. You can't use this option with "Scan only when the system is idle." Exclusions in the ODS policy are also a consideration, as the feature doesn't perform CPU throttling when present.
