Do you have OAS "Scan when copying from network folders and removable drives enabled"?

Dave

Hello, 

Thank you for reaching out to the Trellix support community.!...

When scheduling your weekly scan, Trellix recommendation as a best practice would be to run a policy based on demand scan. Rather than running "Run client task now" In the Policy based ODS, you can supplement this scan with custom on-demand scans for more targeted scans, such as Memory for rootkits, Running Processes, All local drives, Registry, All mapped drives, All removable drives etc. The main difference is only Policy-based On Demand Scan Tasks for ENS will populate Queries/Reports and return these events.

You may also refer the KB below - Custom on-demand scan task criteria for "All removable drives."

https://kcm.trellix.com/corporate/index?page=content&id=KB96025

Best Regards

Hi @MarcinK ,

points to note :

1. I hope you have a dedicated machine just for scanning file on demand on the the NFS storage. Becasue taking 24 hours to scan a 8 TB storage is not bad if you ask me . The more files you have the more time it takes to scan and depending on the number archive files you have, the scan time and resource usage (CPU and memory) will also increase. This is expected.

2.Using ODS on a big shared drive is not very secure as you might think. because of the amount of time it takes to scan.
Example : lets say a scan takes 24 hours to complete . If the first scanned file in the initial 5 minutes of scan can be modified even with in the total scan time (24 hours ) and if the file gets infected, then you will have to wait until the next scan schedule starts to detect that file .In your case 1 week.

Because of this reason, it is import to have "Scan when copying from network folders and removable drives" enabled on clients/servers that access files form this share drive. So, the files are scanned every time before it is run. 
So, what i would recommend is to have ODS scheduled as it is now and enable "Scan when copying from network folders and removable drives" .

3. Run Client Task Now - by default has a stop time of 20 minutes for any task and a cancel task option as well. A scheduled task is always recommended .

4. To get information on what files were scanned, you can enable logging through the below steps

• Login to EPO -> Policy catalog -> Options
• select the policy name that is applied to the machine. (A test policy is preferred initially that is only applied to the machine in question)
• click "show advance" . (if needed)
• Scroll down and enable the option "Log all scanned files during on-demand scans".
• Save the policy.
• Now you will be able to see all files scanned by ENS during ODS.

In case if the issue still persists, a screen shot of the issue and logs will be helpful to review . (please morph any sensitive data before posting that info on community )

I hope this helps 😄

- Rohit Francis