On-access scanning and how it works
The on-access scanner hooks into the system at the lowest levels (File-System Filter Driver), it scans files where they first enter your system. The on-access scanner acts as part of the system (System Service), and delivers notifications via the interface when detections occur.
When an attempt is made to open, close, or rename a file, the scanner intercepts the operation and takes these actions.
- The scanner determines if the file should be scanned based on this criteria:
- The file’s extension matches the configuration.
- The file has not been cached.
- The file has not been excluded.
- The file has not been previously scanned.
- If the file meets the scanning criteria, it is scanned by comparing the information in the file to the known malware signatures in the currently loaded DAT files.
- If the file is clean, the result is cached and read, write, or rename operation is granted.
- If the file contains a threat, the operation is denied and the configured action is taken. For example:
- If the file needs to be cleaned, that cleaning process is determined by the currently loaded DAT files.
- The results are recorded in the activity log, if the scanner was configured to do so.
- The On-Access Scan Messages alert appears describing the file name and the action taken, if the scanner was configured to do so.
- If the file does not meet the scanning requirements, it is not scanned. It is cached and the operation is granted.
Note: The scan file cache is flushed and all files are rescanned whenever, for example, the on-access scan configuration is changed, an EXTRA.DAT file is added, or when the cache is full.