Tuesday, March 14, 2017

Why can't I do all these scans? Effective Scanning Practices

With the IT space becoming more proactive than reactive, scans are on the rise.  And with more scans means more performance issues during scans.  This means that a smart placement of your scanning is crucial to ensuring a productive end user environment.

It's time to ask yourself a simple question. When should I be running scans?

Running scans during off hours is key to insure minimal end user interruptions, but what about machines that are shut off every night? Devices that are inconsistently available such as laptops? This is where the problem becomes more complicated.

We will be looking at the following products.

Patch Management
Managed Antivirus - Bitdefender
Risk Intelligence

Let's look at the different scans and how we can accomplish this.

 Patch Management Scans 

Vulnerability scans are a requirement for the usage of the Patch Management feature.  With the release of Dashboard 6.37 and Agent 10.5.8 we have included flexibility in setting your Vulnerability Scan times.

In Patch Management Settings we have included a schedule option for the Vulnerability Scan.

  • By default the Vulnerability scans are tied to your DSC (Daily Safety Check) Cycle. The default time is 6am or whenever the machine is first booted in the morning.  This can cause some performance issues at the beginning of the work day for any machines shutdown over night.
  • Manual scan allows you to fully control the Scan times, but this requires you to manually trigger the scans as needed.  This option can be too labor intensive across multiple devices and should only be utilized on specific machines that require hands on maintenance.

  • Scheduled scan allows full control over the timing of the Vulnerability scans.

You are able to set how frequently the scan runs as well as the time for the scan to run.  It is recommended to run this scan at least 3 times a week.  This scan is responsible for Microsoft patches as well as Third Party patches.

Note: Vulnerability scanning can have a Heavy effect on System performance.  This scan should be placed outside of busy work hours as often as possible.

 Managed Antivirus Scans 

Antivirus scans come to mind when performance issues arise.  Managed Antivirus has three different scans that can effect a machine during the work day.
  • Quick Scans aim at common threat locations and don't look at Archives.  This scan takes 10 minutes or less on average and has a Minimal effect on machine performance.
  • Deep Scans are elaborate and lengthy scans of files and archives. These scans can have a Heavy effect on machine performance. This scan should be ran once a week and should be done on off hours if possible.
  • Behavioral Scans have no schedule.  The Behavioral scanning is like Active Protection in the way that it is active and scanning process through out the day.  It has Minimal effect on system performance.  Default settings are recommended for Behavioral Scanning.

What about machines that are inconsistently online?

These Scanning options are important to address and customize as needed.

If a scan is missed, run on next startup after X minutes.  This setting is crucial for machines that are inconsistently on or off.  It is recommended to have this on if you're running Quick and Deep Scans.  This will insure laptops are being scanned.

Note: if you disable the Deep Scan for laptop devices.  Make sure that the "Alert User if deep scan out of day by more than X days" is disabled.  Otherwise after the set amount of time the user will receive a pop up notification and you will receive a dashboard alert.

 Risk Intelligence Scans 

Risk Intelligence scans include the following Security, PCI, and Data Breach risk scans.

These scans are scheduled similarly but perform different functions.
  • Security looks at patching vulnerabilities on the machine.  Minimal effect on the system.
  • PCI looks for password and security components related to PCI Compliance.  Minimal effect on the system.
  • Data Breach Risk looks at all files on the machine to locate sensitive information. Medium effect on the system.

Risk Intelligence scans can be scheduled to run daily, weekly, or monthly.  They can also be configured to run if the scheduled scan is missed.  It is important to not have Risk Intelligence scans running side by side (Running Data Breach Risk at the same time as PCI or Security)

These scans do not cause performance issues on their own.  These scans should be set to not run near the Vulnerability or Antivirus scans.

 Today we learned 

With the world becoming more proactive than reactive.  The biggest thing to consider as you add more to your client and their networks is to ask yourself.

Am I running my scans effectively?