The
on-access scanner hooks into the system at the lowest levels (File-System
Filter Driver), acts as part of the system (System Service), and delivers
notifications via the interface when detections occur.
This example describes what happens when an attempt is made to open,
close, or rename a file. The scanner intercepts the operation and takes these
actions.
- The scanner determines if the file should be scanned based on this
criteria:
- The file’s extension matches the configuration.
- The file has not been cached.
- The file has not been excluded.
- The file has not been previously scanned.
- If the file meets the scanning criteria, it is scanned by comparing
the information in the file to the know malware signatures in the currently
loaded DAT files:
- If the file is clean, the result is cached and read, write, or
rename operation is granted.
- If the file contains a threat, the operation is denied and the
configured action is taken. For example:
- If the needs to be cleaned, that process is determined by
the currently loaded DAT files.
- The results are recorded in the activity log if the scanner
was configured to do so.
- The
On-Access Scan Messages alert is
displayed describing the file name and the action taken if the scanner was
configured to do so..
- If the file does not meet the scanning requirements, it is not
scanned. It is cached and the operation is granted.