Antivirus for business

Why Virus Scanning Still Matters in 2025 — A Practical Guide for IT Managers & SOC Analysts

by

TL;DR: Virus scanning (anti‑malware) is still table stakes. Pair always‑on protection with daily quick scans, smart exclusions, and SOC‑grade telemetry. Measure coverage, prove efficacy (EICAR/VT), and wire detections directly into response playbooks.

ELI5: Think of AV like a door guard. It checks everyone coming in, does quick room checks, and calls the police (SOC) if someone looks fishy.

1) First principles: why scan at all?

  • Reduce dwell time: Catch commodity malware early, before it becomes credential theft, lateral movement, or ransomware.
  • Break kill chains cheaply: Signatures + heuristics + behavior stop a big chunk of known bad without expensive hunts.
  • Audit & assurance: Demonstrable control for CIS Controls v8 and ISO 27001 Annex A 8.7; easy evidence for audits.
  • SOC signal: Endpoint detections provide high‑fidelity alerts, seeds for threat hunting, and enrichment for other telemetry.

Bottom line: scanning is not “old tech.” It’s a foundational control that amplifies the rest of your security stack.

2) What “virus scanning” means today

  • Real‑time (on‑access) protection: Monitors files, memory, and common launch points as they’re touched.
  • Scheduled scans:
    • Quick scans (daily): Fast sweeps of high‑risk areas + running processes. Default for most modern engines.
    • Full scans (rare): Useful after an incident, on fresh‑imaged systems, or infrequently for low‑use servers.
  • Cloud‑assisted verdicts: Reputation, ML, and sandbox lookups for better catch rates.
  • Tamper protection: Prevents attackers from disabling AV/EDR.

2A) Reality check: what AV gets wrong (and right)

  • False alarms happen: A harmless app that’s packed (like a zipped exe) can look suspicious and get flagged.
  • New tricks slip by: A custom, fresh info‑stealer may run until behaviour rules or cloud intel catch up.
  • So we adjust: Keep signatures, but rely on behaviour + isolation. If passwords might be stolen, reimage + reset creds.

ELI5: Sometimes the guard shouts at a friendly guest (false alarm) and sometimes a thief with a new mask sneaks past. So we also watch what people do, not just their faces.

3) Scope: what to scan (and where it’s often missed)

  • User endpoints: Windows/macOS/Linux laptops & desktops.
  • Servers: File servers, terminal servers, domain controllers (with vendor‑recommended exclusions only).
  • Email & collaboration: Exchange/M365/Google, SharePoint/OneDrive/Teams/Slack file uploads.
  • Storage buckets & NAS: S3/Azure Blob/GCS and on‑prem shares at write time.
  • CI/CD & artifacts: Build outputs, package repos, container images before deployment.
  • Web apps: Scan user‑uploaded files at upload and at retrieval.
  • Removable media: Auto‑scan on mount; restrict if possible.

If users or apps can write data, plan to scan it.

4) Role‑based quick wins

For IT Managers (operations, coverage, and performance)

  • Policy baseline
    • Always‑on protection enabled.
    • Daily quick scan during low‑usage hours; randomize start times.
    • Cloud protection + automatic signature updates (hourly).
    • Minimal, documented exclusions (vendor‑approved only) with owner + expiry date.
  • Performance hygiene
    • Stagger scans; avoid “scan storms.”
    • Use device health reports to spot machines that never finish scans.
  • Lifecycle
    • Enforce AV/EDR as a join‑to‑domain/MDM prerequisite.
    • Block devices without current signatures or with tamper protection off.

For SOC Analysts (detections, triage, and assurance)

  • Detection focus
    • Alerts for malware blocked/quarantined and attempts to disable AV/EDR.
    • Correlate malware names, file hashes, parents, command lines, and network beacons.
  • Hunting
    • Look for defense‑evasion patterns (stopped services, registry tampering, AMSI/ETW patching).
    • Sweep for hashes/paths across fleet; pivot to user and device timelines.
  • Assurance
    • Monthly EICAR tests across a small pilot group to verify controls & alert flow.
    • Use VirusTotal (private/org) to enrich hashes/URLs without leaking sensitive samples.

5) Tuning without blinding yourself

  • Prefer path‑level or process‑level exclusions over global ones.
  • Time‑box exclusions; auto‑notify owners 7 days before expiry.
  • Re‑scan excluded paths during maintenance windows.
  • Review top exclusions quarterly; aim to remove, not accumulate.

6) Metrics that matter (for your dashboard)

  • Coverage: % devices with agent installed, healthy, and reporting in last 24 hours.
  • Freshness: % devices updated in <4 hours; definition age distribution.
  • Scan hygiene: Last quick scan time; completion rate; average duration.
  • Protection posture: Tamper protection status; real‑time on/off.
  • Effectiveness: Detections per 1,000 endpoints; time‑to‑isolation; reinfection rate in 7/30 days.
  • Quality: Analyst‑validated FP rate; MTTR from first alert to containment.
  • FP control: Benign‑packed test false‑positive rate (aim ~0; reasons must be explainable).
  • Behavioural assurance: Miss rate on simulated info‑stealer behaviours (Atomic tests). Target alert within 5 minutes.
  • Explainability: % detections with clear reason (“packed/unsigned” vs. specific behaviour rule).

Ship these weekly to leadership; keep raw detail in the SOC.

7) Test & validate

  • Functional check: EICAR string (.txt, zipped, double‑zipped) → verify detect/quarantine + alert path end‑to‑end.
  • False‑positive harness: Build a tiny benign tool; test unpacked and UPX‑packed. Expect 0 blocks or at least an explainable warning.
  • Behavioural simulation: Non‑malicious tests for browser credential files (Cookies, Login Data, Local State), DPAPI use (CryptUnprotectData), and browser process kill. You want alerts + optional auto‑isolation.
  • Operational drill: Phishing-in-lab → isolate → collect triage data → remediate → lessons learned.
  • Regression: Re‑run after major OS/agent updates.

Don’t use real malware on production systems—ever.

8) Playbook: when AV/EDR fires on malware

  1. Confirm: Family/hash, who ran it, first‑seen time.
  2. Contain: Isolate host (EDR), disable stale tokens, block hash/IoCs.
  3. Scope: Search fleet for hash/paths, parent process, same user logins, same email.
  4. Eradicate: Quarantine/clean, patch exploited apps, remove persistence, re‑enable protections.
  5. Recover: Fresh quick scan; watch 7 days for re‑infection.
  6. Learn: Update allow/deny, email rules, add a 30‑day hunt.

Hunt hints (info‑stealers)

  • Sudden kill of chrome.exe / msedge.exe by a non‑browser parent.
  • Touching browser profile files: Cookies, Login Data, Local State.
  • Calls to DPAPI (CryptUnprotectData) soon after a browser kill.
  • New password‑protected archives in temp → outbound HTTPS to paste/webhook sites.

ELI5: If a thief shuts your browser and grabs your cookie jar, ring the alarm and lock the door (isolate) before cleaning.

9) Common pitfalls to avoid

  • Relying only on signatures; disable behavior/ML to “save CPU.”
  • Scheduling weekly full scans at noon; causing user pain and mass cancellations.
  • Blanket exclusions for entire app folders with no expiry.
  • Ignoring non‑Windows devices and file‑upload paths.
  • No evidence: can’t show last scan time, signature age, or that alerts actually reach the SOC.

10) 30/60/90 day plan

Day 0–30

  • Inventory endpoints; enforce agent + tamper protection + cloud protection.
  • Daily quick scans with randomized start; enable hourly updates.
  • Stand up dashboards for coverage/freshness/scan hygiene.

Day 31–60

  • Define and purge risky exclusions; introduce expiry + owner.
  • Wire detections to SOAR playbooks; add isolate‑host and hash‑block automations.
  • Start monthly EICAR checks (pilot ring) and report results.

Day 61–90

  • Expand scanning to storage buckets, collaboration suites, and user‑upload workflows.
  • Add CI/CD image/package scanning pre‑deploy.
  • Quarterly control review with metrics + two improvement actions.

11) FAQ: audit vs reality

  • “Isn’t this just for passing SOC 2/ISO?” No. Audits want proof you run anti‑malware, but operational efficacy (coverage, freshness, time‑to‑contain) is what saves you during incidents.
  • “Do we need weekly full scans?” Usually no. Daily quick + real‑time + cloud lookups suffices; run full scans during incident response or on specific hosts.
  • “What about performance?” Randomize scheduling, scope scans, and fix slow endpoints; don’t switch features off.

11A) Which antivirus to pick (2025) — short & clear

Home or very small office (Windows): Stay with Microsoft Defender. Add on‑demand Malwarebytes/Sophos Free only when cleaning.

M365-focused organisations: Microsoft Defender for Endpoint (MDE) — best fit if you already use Intune/Entra/M365. Strong protection, rich telemetry.

Mixed OS, low noise, strong protection: Bitdefender GravityZone or ESET PROTECT — high catch, low false positives, solid consoles.

SMB India: Seqrite or WithSecure Elements — simple central control; good value.

Policy note: Kaspersky scores high in tests but may be restricted by policy in some geos. Check compliance first.

Skip the “security suite” bloat. Enable only what you use.

12) Copy‑paste snippets (Windows fleet)

  • Scheduling: Daily quick scan at off‑hours with randomized start.
  • Health gates: Block device access to corporate resources if real‑time protection off, signatures stale >24h, or tamper protection disabled.
  • Alert plumbing: Forward AV/EDR alerts → SIEM with host, user, hash, action taken; enrich with VT (private) and threat intel.

13) Takeaway

Treat virus scanning as plumbing: always on, rarely noticed, immediately missed when broken. Keep it simple, measured, and wired into response. When it’s boring, it’s working.

Post Views: 291

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.