Policy Best Practices › Create a Realtime Monitor Policy

Create a Realtime Monitor Policy

The Realtime Monitor policy lets you specify how to monitor client machines for infections each time a user opens or executes a file. You may create individual Realtime Monitor policies for specific application servers, mail servers, or desktops and laptops. For example, most database applications have transaction logs that are frequently opened and closed. Running a scan that intercepts every file when opened, and then blocks access to the transaction log file until a the scan has been completed, might degrade the performance of the database. Using the Filters option, you can create a policy for application or database files that disables active scanning of processes/services related to these applications or databases and the directories where these files are stored.

To create a Realtime Monitor policy

1. Select the Policy Management tab.
2. Select Antivirus from the Application menu.

   The Realtime Monitor tabs appear on the right side of the page.

3. Click New and enter a policy name in the description field of the Policy tab.
4. Click the Scan tab and choose the appropriate settings for this policy.

   Recommendation: Scan with the Specified Extensions Only option for regular files. This option uses a pre-defined list of known executable file types. The All Extensions option should be used during local and scheduled scans.

5. Click the Filters tab and choose the appropriate settings for this policy.

   Filters are useful to prohibit excessive scanning of specific processes, directories, and certain files. By creating a policy using filters and limiting the scope of the realtime scan, you can minimize performance problems. The files that are excluded from realtime scanning by a filter setting can then be scanned with a scheduled scan, which is typically scheduled during a period of reduced server load.

   For example, if you are running an application with a Microsoft SQL database, currently, there are no viruses that are known to be able to infect a database file. Therefore, scanning database files every time they are opened is a costly use of processing power, with little potential return. Therefore, you can set Exclusions to scan all files except those in a list, which is a modifiable option that includes database file extensions by default, or you can use filters to skip the scanning of SQL processes and the directory where the database and transaction logs reside.

   You can also create a Pre-Scan Block list to block access to specified file types. You have the option to prevent access to files that do not meet the corporate standard. For example, as a matter of policy, you may elect to block accessibility to all MP3 and AVI files. You can add the file extensions into the Block Extension List dialog and can even identify those users that should be exempt from the policy (and, therefore, allowed to access these types of files).

   Recommendation: Use a combination of filters and scheduled scans to achieve and maintain a good balance of continuous acceptable performance and security.

6. Click the Advanced tab and choose the appropriate settings for this policy.

   The Allow Fast Backup option allows the Realtime Monitor to skip files that the backup software opens.

   Recommendation: Eliminate scans that might otherwise be performed, degradation to your backup performance is avoided. If this option is not selected, the Realtime Monitor scans each file as it is copied to the backup media, thereby slowing the backup. If you scan files before performing a backup, you do not want to repeat the scan during the backup. Allow Fast Backup applies to Windows and Netware only.

7. Repeat this process for the Filters, Advanced, and Quarantine tabs. (Quarantine is a Windows only feature.)

   When the quarantine feature is enabled, users who are detected attempting to copy infected files to a server can have their access to the server automatically suspended for a specified period of time. The user is blocked from any further access to the server for the length of time specified by the Quarantine time, up to a period of 20 days (28800 minutes). During the quarantine time, you have the opportunity to determine what the problem file is, isolate it, and clean the infected computer.

   Note: Because the quarantine feature blocks server access based on user name, the quarantine affects any users signed on with the same name. This is particularly important if a network has many people sharing the same user name, such as GUEST. If one user is signed on as GUEST and is quarantined because of a detected attempt to copy an infected file, all other users named GUEST are quarantined also.

   In addition, messages can be sent, listing the name of the user who tried to move an infected file, so that the appropriate administrator is notified. Further, the name of a quarantined user is listed on the Quarantine tab when a particular computer is selected in the list of computers. An Authorized administrator can easily restore the quarantined user access again by removing the name of the user from the Quarantine tab.

   Note: The Administrator account on a Windows NT or Windows 2000 computer cannot be quarantined. A user with administrator rights, however, can and will be quarantined when necessary.

8. Click Apply to save the policy.
9. Click Assign in the Policies area of the page.

   The Assign Branches dialog appears.

10. Select the branch to assign this policy to and click the right arrow.
11. Click Assign Branches.

    The policy is assigned to the specified branches.