On-demand scanning and how it works

The on-demand scanner hooks into the system at the lowest levels (File-System Filter Driver), acts as part of the system (System Service), and delivers notifications via the VirusScan Enterprise interface when detections occur.

This example describes when an on-demand scan is started and what happens.


  1. The scanner determines if the memory, file, folder, or disk should be scanned based on this criteria:
    • The file’s extension matches the configuration.
    • The file has not been cached.
    • The file has not been excluded.
    • The file has not been previously scanned.
  2. If the memory, file, folder, or disk meets the scanning criteria, it is scanned by comparing the information in the file to the know virus signatures in the currently loaded DAT files:
    • If it is clean, the result is cached and the next item is checked.
    • If it contains a threat, the configured action is taken. For example:
      • If it needs to be cleaned, that process is determined by the currently loaded DAT files.
      • The results are recorded in the activity log if the scanner was configured to do so.
      • In the On-Demand Scan Progress dialog, the information describing the memory, file, folder, or disk name and the action taken is displayed.
  3. If the memory, file, folder, or disk does not meet the scanning requirements, it is not scanned. It is cached and the scanner continues until all of the data is scanned.