I'm in the process of scanning the nfs share. This share has 8TB size. This scan takes more than 24 hours. Now after update DAT the ODS Scan Manager Process is stopped and not startet again. I don't know why 😞 . So this scan never ending correct. In the logs aren't information what is possible cause.
This scan is started as Run Client Task Now , not schedule.
I using limit 80% CPU.
How will be best practices for these scan? This will be regular scan at every weekend.
Do you have OAS "Scan when copying from network folders and removable drives enabled"?
Yes, there is an option in the OAS policy under the Policy catalog in EPO, which says "Scan when copying from network folders and removable drives." And this option is enabled by default.
Hope this helps.
Thank you for reaching out to the Trellix support community.!...
When scheduling your weekly scan, Trellix recommendation as a best practice would be to run a policy based on demand scan. Rather than running "Run client task now" In the Policy based ODS, you can supplement this scan with custom on-demand scans for more targeted scans, such as Memory for rootkits, Running Processes, All local drives, Registry, All mapped drives, All removable drives etc. The main difference is only Policy-based On Demand Scan Tasks for ENS will populate Queries/Reports and return these events.
You may also refer the KB below - Custom on-demand scan task criteria for "All removable drives."
Hi @MarcinK ,
points to note :
1. I hope you have a dedicated machine just for scanning file on demand on the the NFS storage. Becasue taking 24 hours to scan a 8 TB storage is not bad if you ask me . The more files you have the more time it takes to scan and depending on the number archive files you have, the scan time and resource usage (CPU and memory) will also increase. This is expected.
2.Using ODS on a big shared drive is not very secure as you might think. because of the amount of time it takes to scan.
Example : lets say a scan takes 24 hours to complete . If the first scanned file in the initial 5 minutes of scan can be modified even with in the total scan time (24 hours ) and if the file gets infected, then you will have to wait until the next scan schedule starts to detect that file .In your case 1 week.
Because of this reason, it is import to have "Scan when copying from network folders and removable drives" enabled on clients/servers that access files form this share drive. So, the files are scanned every time before it is run.
So, what i would recommend is to have ODS scheduled as it is now and enable "Scan when copying from network folders and removable drives" .
3. Run Client Task Now - by default has a stop time of 20 minutes for any task and a cancel task option as well. A scheduled task is always recommended .
4. To get information on what files were scanned, you can enable logging through the below steps
In case if the issue still persists, a screen shot of the issue and logs will be helpful to review . (please morph any sensitive data before posting that info on community )
I hope this helps 😄
- Rohit Francis
What I'm wondering is why not just depend upon OAS rather than ODS? If the server has ENS, and the clients have ENS and scan network access, they will all scan the file before they access them, so what is accomplished by running on ODS?
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:
TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com