The on-access scanner hooks into the system at the lowest levels (File-System Filter Driver), it scans files where they first enter your system. The on-access scanner acts as part of the system (System Service), and delivers notifications via the interface when detections occur.

When an attempt is made to open, close, or rename a file, the scanner intercepts the operation and takes these actions.

1. The scanner determines if the file should be scanned based on this criteria:
   
   • The file’s extension matches the configuration.
   • The file has not been cached.
   • The file has not been excluded.
   • The file has not been previously scanned.
2. If the file meets the scanning criteria, it is scanned by comparing the information in the file to the known malware signatures in the currently loaded DAT files.
   
   • If the file is clean, the result is cached and read, write, or rename operation is granted.
   • If the file contains a threat, the operation is denied and the configured action is taken. For example:
     
     • If the file needs to be cleaned, that cleaning process is determined by the currently loaded DAT files.
     • The results are recorded in the activity log, if the scanner was configured to do so.
     • The On-Access Scan Messages alert appears describing the file name and the action taken, if the scanner was configured to do so.
3. If the file does not meet the scanning requirements, it is not scanned. It is cached and the operation is granted.
   Note: The scan file cache is flushed and all files are rescanned whenever, for example, the on-access scan configuration is changed, an EXTRA.DAT file is added, or when the cache is full.