Scheduled scan woes.

Dear Sirs,

 

In case of FSPM 11.31 + FSAV 11.61 (Windows) is it possible to specify a scheduled scan with restricted extent? No matter what I try to do with the paramteres, virus scan either doesn't run at all or igonores parameters and processes the entire computer storage, apparently (~200k files scanned, incl. archives in about 2 hours).

 

The customer would like to scheduled-scan only a single folder tree and only about 12 extension types among the files found in those folders. It should be over in 5 minutes with less than 1000 objects inspected, but something doesn't add up.

 

According to the PMC built-in help text, the scheduled scan paramteres are equal to the command line scanner. So I tried these for "Task Type | Task Type Specific Parameters" in the PMC 11.31:

 

Scan Local Drives | C:\choicefolder\*.* /ext=chm,hlp,vbs

Scan Local Drives | C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe C:\choicefolder\*.* /ext=chm,hlp,vbs

Generic task | C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe C:\choicefolder\*.* /ext=chm,hlp,vbs

 

Note: The sceduling parameters for sceduled scan work as advertised, so the virus check starts on the clock like a swiss watch, it is only the "Task Type Specifric Parameters" I can't grasp...

 

Please give me some solid examples on how to do this? Thanks in advance!

 

Yours Sincerely: Tamas Feher, Hungary.

Best Answer

  • JouniJouni Posts: 135
    Accepted Answer

    Hello Tamas,

     

    True, the end user won't be notified, but for reporting to admin you can use the /REPORT= parameter. In addition to local output file for the scan, also the report to Policy Manager is sent when that is specified.

    For that and other additional Command-line scanner parameters, please refer to readcmd.rtf file, which you can find from e.g. Client Security's installation folder:
    <F-Secure>\Anti-virus\readcmd.rtf

    The scheduled scanning feature configures the scan to run under the Local System Account in both cases, so also when configured using the Generic task type.

    In environments with both 32-bit and 64-bit systems I would suggest using two scheduled tasks for all hosts, where one task would point to C:\Progra~1\.. and the other to C:\Progra~2\..

    As the built-in help is a bit misleading, we have forwarded the feedback to correct team, so that it should be corrected.

Answers

  • JouniJouni Posts: 135

    Hello Tamas,

     

    When using the Task Type Specific Parameters, the Task Type should be Generic. When the Task Type is set to Scan Local Drives, then there are the default manual scan policy settings used for the scan, which could be conflicting with the Task Type Specific Parameters.

    Based on your samples here is an example for scheduled scanning using Task Type Specific Parameters:

     

    Name: Weekly Scan
    Scheduling Parameters: /t18:00 /rweekly
    Task Type: Generic
    Task Type Specific Parameters: C:\PROGRA~1\F-Secure\ANTI-V~1\fsav.exe C:\choicefolder\ /ext="chm hlp vbs"

    Note that if you are using wildcards *.* for the scanned location, then the /ext parameter is not counted and all file types are scanned instead.

    Also, when using the /ext parameter with multiple extensions, you need to use quotes and delimit the extensions using the space character.

  • etomcatetomcat Posts: 1,310

    Dear Jouni,

     

    Thanks for the swift reply! I have a few more questions concerning the details:

     

    - If I understand correctly, when using the "generic" task type, the user at the endpoint won't be notified? (In case of Scan Local Drives policy, the client desktop shows a small pop-up infobox when the scheduled scan starts.)

     

    - When using the "generic" task type, security admin won't get feedback  about the scan results via the PM Console? (In case of Scan Local Drives policy, the FSAV CS/WKSclient reports back to FSPM.)

     

    - When using the "Generic" task type to run the fsav.exe, will that have the same invastigation rights as "Scan Local Drives" task? I mean fsav.exe is a command line program, so maybe it should be launched with the UAC "run-as-admin" option to give full access, but I don't know if possible with non-interactive command line?

     

    Thanks in advance, Yours Sincerely: Tamas Feher, 2F 2000 Kft., Hungary.

  • etomcatetomcat Posts: 1,310

    Dear Jouni,

     

    The problem with recommending a "Generic Task" type task for an extensions-selective scheduled virus scan is that the location of "fsav.exe" differs between 32-bit and 64-bit Windows computers!

     

    For 32-bit OS:

    C:\Program Files\F-Secure\Anti-Virus\fsav.exe

    C:\Progra~1\F-Secure\Anti-V~1\fsav.exe (legacy path)

     

    For 64-bit OS:

    C:\Program Files (x86)\F-Secure\Anti-Virus\fsav.exe

    C:\Progra~2\F-Secure\Anti-V~1\fsav.exe (legacy path)

     

    This means the security admin cannot order a scheduled scan by department, remote site or other organizational unit, but he must sort computers according to the achitecture. This is unfitting for a larger company customer.

     

    Please suggest a solution that is suitable for corporate-enterprise customers.

     

    Thanks in advance, Yours Sincerely: Tamas Feher, 2F 2000, Hungary.

  • etomcatetomcat Posts: 1,310

    Dear Jouni,

     

    > When the Task Type is set to Scan Local Drives, then there are the default manual scan policy settings used for the scan, which could be conflicting with the Task Type Specific Parameters.

     

    According to the built-in help of PMC 11.31, parameters are supported with Scan Local Drives (as seen in the screenshot). The customer expects them to work as advertised.

     

    The problem with using fsav.exe in "Generic" task type is that sysadmin apparently won't get feedback about the results centrally, e.g. in the FSPM Console's Scanning Reports tab. This makes scheduled scan rather meaningless from a security management point of view.

     

    Thanks in advance, Yours Sincerely: Tamas Feher, 2F 2000 Kft., Hungary.

     

    ********************************

     

    fspmc_scheduled_scan_local_drives_parameters.png

This discussion has been closed.