Symantec 10551441 Administration Guide - Page 104
File cache options, How to trace threats, Heuristic scanning
![]() |
UPC - 037648270472
View all Symantec 10551441 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 104 highlights
104 Scanning for viruses and other threats Configuring Auto-Protect scans Note: This option is available for Windows NT/2000/XP/2003 only. File cache options File caching decreases Auto-Protect's memory usage and can help you to track problems. The file cache includes an index of files that were scanned and determined to be clean. Symantec AntiVirus adds a 16-byte ID to the cache index, which remains until Symantec AntiVirus detects a change to the file. How to trace threats You can use Threat Tracer to identify the source of network share-based virus infections on computers that are running Windows NT/2000/XP/2003 operating systems. When Auto-Protect detects an infection, it sends information to RtvScan, the main Symantec AntiVirus service. RtvScan determines if the infection originated locally or remotely. If the infection came from a remote computer, RtvScan can look up and record the computer's NetBIOS computer name and its IP address, and then display this information in the Threat Properties dialog box. RtvScan polls every second by default for network sessions, and then caches this information as a remote computer secondary source list. This information maximizes the frequency with which Threat Tracer can successfully identify the infected remote computer. For example, a threat may close the network share before RtvScan can record the network session. Threat Tracer then uses the secondary source list to try to identify the remote computer. When Threat Tracer cannot identify the remote computer, the source is listed as Unknown in the Threat Properties dialog box. When Threat Tracer determines that the infection came from local host activity, it lists the local host. The source is also listed as Unknown in the Threat Properties dialog box when the authenticated user for a file share refers to multiple computers. This can occur when a user ID is associated with multiple network sessions. Heuristic scanning Bloodhound can detect a high percentage of unknown viruses by isolating and locating the logical regions of a file. Bloodhound then analyzes the program logic for virus-like behavior.
![](/manual_guide/products/symantec-10551441-administration-guide-58c1ab2/104.png)