Is stateful setting secure?

Breen · April 17, 2009, 1:52pm

I was wondering… If I’m correct stateful mode in CIS 3.9 means that all files are scanned on access ones, unless any file will be changed right? Lets assume situation when I download infected file, that is not in virus database, file is scanned and nothing happens. In next update sample is included to database but the question is : If the file is not changed will CIS alert me in stateful mode although it checks only new or changed files. ???

anonymous · April 17, 2009, 2:23pm

This is a valid point IMO.

hmmm… maybe the list of files that are considered safe by the real-time scanner (after first scanning) should be reset after each DB update?

panic · April 17, 2009, 2:48pm

Or maybe CIS compares hashes in the new DB with the hashes of unchanged apps.

Good question. Waiting to hear a mods take on this.

Cheers,
Ewen

hkjoj · April 17, 2009, 2:59pm

Is BOClean integrated in CIS3.9 such that the infected code will be detected when its being load in memory?

rejzor · April 17, 2009, 3:07pm

Stateful “state” recording is only valid until next signature update which invalidates it.
On-access scanner will scan it again and will store the state till next update again.
If they are not doing this, then the system is flawed.

Breen · April 17, 2009, 9:30pm

Can anyone from staff answer my question? It is important for all of us. I checked it with some malware. One file was detected by heuristics, so I added this file to quarantine. Then I restored it, and what? nothing happens, no heuristics detecion? However I couldn’t copy or move that file…

Citizen_K · April 17, 2009, 10:27pm

I dropped Egeman a PM.

egemen · April 18, 2009, 12:16am

Stateful inspection is not that simple. There are many other parameters. When virus DB is updated a file will be rescanned.

HeffeD · April 18, 2009, 12:22am

???

So then what is the point of a stateful inspection? You have future plans to update the virus DB every half hour. So you’re saying that when this happens, the stateful flag or whatever you would call it is basically reset to require scanning again? I’m having trouble seeing how this is very useful, and it’s only marginally more efficient…

Unless of course I’m missing something here, which is likely.

symbian · April 18, 2009, 7:07pm

I think Statefull rescan only files active in memory when the DB is updated.

who_te_fuc · April 18, 2009, 10:30pm

Ofc its secure… :-TU :-TU

fazio93 · April 19, 2009, 12:33am

I was thinking the same thing. :THNK