The on-access scanner hooks into the system at the lowest levels
(File-System Filter Driver), it scans files where they first enter your system.
The on-access scanner acts as part of the system (System Service), and delivers
notifications via the interface when detections occur.
When an attempt is made to open, close, or rename a file, the scanner
intercepts the operation and takes these actions.
- The scanner determines if the file should be scanned based on this
criteria:
- The file’s extension matches the configuration.
- The file has not been cached.
- The file has not been excluded.
- The file has not been previously scanned.
- If the file meets the scanning criteria, it is scanned by comparing
the information in the file to the known malware signatures in the currently
loaded DAT files.
- If the file is clean, the result is cached and read, write, or
rename operation is granted.
- If the file contains a threat, the operation is denied and the
configured action is taken. For example:
- If the file needs to be cleaned, that cleaning process is
determined by the currently loaded DAT files.
- The results are recorded in the activity log, if the
scanner was configured to do so.
- The
On-Access Scan Messages alert appears
describing the file name and the action taken, if the scanner was configured to
do so.
- If the file does not meet the scanning requirements, it is not
scanned. It is cached and the operation is granted.
Note: The scan file cache is flushed and all files are rescanned
whenever, for example, the on-access scan configuration is changed, an
EXTRA.DAT file is added, or when the cache is full.