Norton AntiVirus Corporate Edition 7.x -- Performance versus Protection
The purpose of this white paper is to provide System Administrators with an overview of the configuration options available with File System Realtime Protection and Scanning to better understand the impact these settings have on system and network performance and virus protection. Various computer environment scenarios will be paired with different Norton AntiVirus Corporate Edition (NAVCE) configuration models to illustrate the advantages and disadvantages of their pairings.
Norton AntiVirus Corporate Edition is often the first line of protection your computer has against virus threats. Administrators have the option to configure NAVCE's scanning environment and File System Realtime Protection to suit their specific needs. Obviously, the best solution would be to provide the most comprehensive protection against viruses with the least percentage of performance degradation. Since all corporations and their computer environments are not alike, it is necessary to create configuration models to suit your system environment.
Following is a synopsis of the impact on performance and protection various options can have on your system. Each option is configurable by the NAVCE administrator.
File system realtime protection
File system realtime protection configuration options
File System Realtime Protection's default configuration is set to provide a high level of protection from virus threats with no consideration to the impact the settings have on system or network performance. In fact, only one option can be changed to provide more protection: Heuristics scanning is defaulted to medium. For the maximum level of protection by File System Realtime Protection, this option can be set to high. The options that have the most impact on performance and virus protection are Exclusions, Modified vs. Accessed/Modified, File Types, Heuristics, and Network Scanning.
Exclusions (disabled or enabled)
Exclusions are disabled by default. Depending on the system environment, such as the type of files being scanned in environment, excluding certain file extensions or drives can greatly increase performance, though it does open up security holes where viruses can attack. Options, such as prescan exclusions vs. postscan exclusions, set within exclusions can also affect performance. Administrators should take heed when utilizing exclusions to avoid potential performance and virus protection problems.
Scan files when (modified or accessed/modified)
By default, NAVCE scans files when they are accessed or modified. This provides more complete protection from virus attacks. Under this configuration, files will be checked for viruses during all file operations including opening, running, copying, moving, renaming, and creating a file. Because all file operations are being scanned by Realtime Protection, the impact on performance is greater. Choosing to scan on modified only checks for infected files when they are created, changed, or moved to another location. By utilizing other features of NAVCE, including Manual and Scheduled Scans, setting Realtime Protection to scan on modified only can improve system and network performance while still providing a high level of protection from viruses.
File types (all types or selected extensions)
For NAVCE 7.5, the default setting for File Types is "All Types." This means that all files will be scanned regardless of their extension or lack thereof. The only exception is on Win32 platforms, where compressed file scanning is not supported during a realtime scan. Scanning "All Types" is the most comprehensive option but it can also reduce performance. "Selected Extensions" scans files with the most common document and program extensions that include the extensions of all files subject to known virus attacks.
Heuristics (minimum, default, or maximum)
NAVCE's Bloodhound virus detection technology enables File System Realtime Protection to detect new or unknown viruses by analyzing certain areas of a file to determine whether or not the file exhibits virus-like behavior. The default level of protection of Heuristics is medium. System performance will be affected accordingly by disabling, increasing, or decreasing heuristics scanning.
Network scanning (enabled or disabled)
By default, NAVCE File System Realtime Protection scans network files when accessed through a mapped drive or UNC path. If all systems are protected locally (NAVCE on each system), then network scanning can be disabled without any risk of opening up security holes. It has been determined that copying files from an NT system to another system with network scanning enabled significantly impacts performance. Disabling network scanning during those processes will vastly improve file transfer times.
Utilizing on-demand scans, scheduled scans, and virus sweeps
In addition to File System Realtime Protection, NAVCE's suite of manual scans can play an important role in protecting your environment against virus attacks. Unlike Realtime Protection, manual scans can be scheduled to run at any time, thereby giving administrators the freedom to configure them to run at a time when system resources are being utilized least; most often late night or weekends. In a high-traffic environment, Realtime Protection and manual scans can be used in conjunction to enhance performance without compromising the level of protection from viruses.
These scans can be configured from the Symantec System Console (SSC) or from an individual client computer. Administrators or users can decide which drives to scan, what file types to scan, and the actions to be taken if a virus is found whenever they find a need to scan their systems for viruses.
Scheduled scans: Scheduled scans can be created from the SSC or an individual client computer. They can be configured to run daily, weekly, or monthly. Once configured, Administrators have the freedom of mind to know that their systems will be scanned on a regular basis to ensure that no viruses have penetrated their environment.
Virus sweeps: Virus sweeps can only be run from the SSC. By selecting a server group or server, running a virus sweep will scan all drives on all computers associated with the server group or server. Virus sweeps are a fast and easy way of scanning computers during periods of possible virus outbreaks or threats.
Prescan exclusions or postscan exclusions
By default, NAVCE's File System Realtime Protection exclusions option excludes a file after scanning it. That is, if a file or group of files are placed in exclusions, then those files will be scanned like any other file not being excluded, and only if the files are infected are they then parsed through the exclusions list to see whether they are excluded. There is an option to exclude files before scanning them (prescan exclusions). Both options offers advantages in different environments.
In certain scenarios, enabling prescan exclusions can enhance performance. For example, if you have a server specifically for a database that predominantly handles thousands of file operations with a specific unique extension and you choose not to scan that file since it currently has no virus threats associated with it, then adding that to the extensions exclusions list and enabling prescan exclusions would increase performance as all files with that extension will be excluded from scanning. If prescan exclusions were disabled in the same scenario, then all of the files would be scanned resulting in a larger performance hit, since scanning a file generally takes longer than parsing through the exclusions list.
In an environment where there are a large variety of files going through a server, it is generally better to disable prescan exclusions. For example, you scan All Types but want to exclude a certain extension, and that extension only makes up 2% of the server activity, then it is better to keep prescan exclusions disabled. If you were to enable prescan exclusions, then all files, including the 98% of files without that extension, will be parsed through the exclusions list before scanning. Since 98% of the files will not be excluded, 98% of the files will be parsed and scanned rather than just scanned, since by enabling postscan exclusions (the default) only files that are infected will be parsed through the exclusions list.
Administrators should keep in mind that enabling exclusions in these scenarios creates a possible security hole. Should a new virus be created that attacks the files being excluded, they can possibly cause damage by corrupting the files or the system. When enabling exclusions, it is a good idea to configure a scheduled scan to run on All Types (without excluding files) to insure no viruses have infiltrated the system.
Modified only versus accessed or modified
In a busy network environment where file operations are constantly being generated, setting File System Realtime Protection to scan on "Accessed or Modified" can visibly impact performance. Because NAVCE monitors all file input and output, systems will ostensibly show a decrease in performance. Administrators have an option to have File System Realtime Protection scan on modified only. When set to scan on modified only, NAVCE will only monitor and scan a file that is being created, changed, or moved. It will not scan files that are being accessed or executed. So, if a known virus were to write to a file and Realtime Protection was set to scan on modified only, then that file would be caught.
So what are the advantages of scanning on accessed or modified?
Any time a file is accessed, if it is infected, File System Realtime Protection will catch the infection. The next logical question would be, If you are sure that no viruses are currently on your system, then would not you get the same degree of protection if you set Realtime Protection to scan on modified only? The answer is yes if you are sure that there are no known viruses are on your system. But, the answer is more complicated than that because there can be so many variables in a system environment. For example, if NAVCE had just been newly installed and Realtime Protection was set to scan on modified only, your system is now protected from any new threats. What if a virus were already on the system? Once the file where the virus resides is accessed, it can trigger the virus to spread to other files. At this point, the files the virus is spreading through will be modified and detected by Realtime Protection. But what if the virus is unrepairable (there are many of them out there)? The newly infected files will be detected, but they will also be corrupted by the virus. If File System Realtime Protection were set to scan on accessed or modified in the same scenario, then once the infected file was accessed, it would be caught by Realtime Protection before it could spread and infect other files, thereby preventing any further corruption of files.
Another scenario to be wary about are environments where there are unprotected systems. Many network environments are linked to unprotected servers. If a system with NAVCE (set to scan on modified only) accesses an infected file on the unprotected server, the newly triggered virus can spread through the unprotected server's files without being detected. In the same scenario, if Realtime Protection was set to scan on accessed or modified and network scanning was enabled, then the infected file would be detected and prevented from doing further damage. In any connected environment, though, having unprotected systems (whether they are servers or clients) can pose a risk to virus threats. Having Realtime Protection set to scan on modified only in these environments makes the potential risk greater.
What if your computer network is fully protected (NAVCE installed on all computers) and you want to improve performance by scanning on Modified Only?
There are other NAVCE features, which you can utilize to achieve a high level of protection from viruses while scanning on Modified Only. The first thing you should do after installing NAVCE is to run a Virus Sweep on all computers to make sure there are no infected files on the systems. You should also configure a scheduled scan to run on all systems weekly to make sure that no viruses have entered your environment. You might wonder how that could happen if you are fully protected. As Administrators, you should understand that certain things are beyond your control, such as temporary loss of virus protection due to system failure, product upgrades, and so forth. When it comes to virus attacks, it is better to be safe than sorry. You can also lock Realtime Protection configuration settings from the SSC. For example, to prevent users from disabling Realtime Protection, lock that option.
Other configuration options
Performance can also be improved by configuring other Realtime Protection and scanning options. Network scanning can be disabled if all systems are protected locally. This will greatly increase system performance when copying/accessing files between systems. Determine whether to scan All Types or Selected Extensions. If you choose Selected Extensions for faster performance, then configure Scheduled Scans to scan All Types to cover all files when running weekly scans.
Performance and protectionNAVCE enables administrators to configure Realtime Protection and Scanning options to suit their needs. With all of the NAVCE features, there should not have to be a choice between performance and protection. You can achieve both quite easily by understanding what NAVCE has to offer and what type of environment your network is running. It is the goal of NAVCE to provide a positive balance between performance and protection.
Imported Document Id