Is stateful setting secure?

I was wondering… If I’m correct stateful mode in CIS 3.9 means that all files are scanned on access ones, unless any file will be changed right? Lets assume situation when I download infected file, that is not in virus database, file is scanned and nothing happens. In next update sample is included to database but the question is : If the file is not changed will CIS alert me in stateful mode although it checks only new or changed files. ???

This is a valid point IMO.

hmmm… maybe the list of files that are considered safe by the real-time scanner (after first scanning) should be reset after each DB update?

Or maybe CIS compares hashes in the new DB with the hashes of unchanged apps.

Good question. Waiting to hear a mods take on this.

Ewen :slight_smile:

Is BOClean integrated in CIS3.9 such that the infected code will be detected when its being load in memory?

Stateful “state” recording is only valid until next signature update which invalidates it.
On-access scanner will scan it again and will store the state till next update again.
If they are not doing this, then the system is flawed.

Can anyone from staff answer my question? It is important for all of us. I checked it with some malware. One file was detected by heuristics, so I added this file to quarantine. Then I restored it, and what? nothing happens, no heuristics detecion? However I couldn’t copy or move that file…

I dropped Egeman a PM.

Stateful inspection is not that simple. There are many other parameters. When virus DB is updated a file will be rescanned.


So then what is the point of a stateful inspection? You have future plans to update the virus DB every half hour. So you’re saying that when this happens, the stateful flag or whatever you would call it is basically reset to require scanning again? I’m having trouble seeing how this is very useful, and it’s only marginally more efficient…

Unless of course I’m missing something here, which is likely.

I think Statefull rescan only files active in memory when the DB is updated.

Ofc its secure… :-TU :-TU

I was thinking the same thing. :THNK