I was having this discussion with a colleague today. He was of the opinion that you should never need to run a virus scan on a PC as most anti-virus packages scan the system in real time.
While it is true that the anti-virus will scan most files against known conditions established by the most currently installed signatures, they do not "scan" the file system in real time. The file system is effectively monitored for accesses and file manipulations done in a way that it (the package) considers to be a threat.
OK, let's analyze these facts. I have attended several conferences on IT security and read more than my fair share of reference material on hacking and forensic techniques to protect computers from intrusion. While there is no one gospel on this subject most IT Professionals I know who have a fair amount of exposure in these topics agree that no one anti-spam or anti-virus product can catch everything.
For example, I am not picking on Symantec specifically nor will I site a precise example but this issue happened. The anti-virus had current signatures to within a few hours. The server was patched to the most current critical and recommended updates. Yet, there were suspiciously high memory usage on the server in question. It was only upon scrutinizing with psexplorer from systinternals, pslist (also from sysinternals) netstat, task manager, a remote UNC file connection and a remote port scanner was I able to confirm that there was an intrusion attempt in progress.
What happened was, the server was patched after 16 hours of when a known exploited vulnerability had been published. Through this pin hole, an elevation of privilege attack happened. Then a hack tool was installed and a root kit planted.
The root kit hid registry keys, processes, and files from view. Once it was discovered, it was removed easily enough with known tools.
The other tools were left behind (this was confirmed by file date stamps and checking backups) until another trojan which the AV supposedly knew about and cleaned had hold of the machine. This is where the interesting part comes in. The trojan was not cleaned. That was human error in that the logs were not scrutinized to confirm that the clean attempt actually failed. The trojan discovered was not the same iteration displayed in the AV package. As the server was being monitored using filemon, psexplorer watching threads and netstat, the original infection remained.
A copy was submitted to the AV vendor anonymously and within a couple of hours, a rapid release was put out which caught the file in real time protection. The AV vendor said it was the same iteration of a known virus but a programmer from another competing vendor at the same time, sited the mutation differences.
While this was happening, another system was infected so the same process was used to monitor the infection. This time a real time scan was performed before the new rapid release came out and the file was quarantined successfully.
Clearly, the AV companies are doing there best to update precisely the documentation that is put out but the solution is critical and usually gets published faster.
In part, this is likely why vendors accept anonymous file submissions to help keep in check with viruses in the wild.
My point is just to say that the real time scan does not catch everything... To be honest, a scan could miss a virus as well but if a file has similar symptoms to a known virus, it may still have additional hidden code or functionality which can hide it from current real time scanners.
YES, scheduled scans on PCs would be highly recommended as part of your defense in depth strategy against spyware, malware, trojans, and viruses.
