Oct 08 2021 09:50 AM
Hello Everyone,
Let me begin with a high-level presentation of our environment - our project develops an application for EU countries on top of a Microsoft infrastructure – Windows Server 2016, Active Directory, SQL Server 2016 and BizTalk Server 2016. More than 300 servers are protected with the default antimalware solution – Windows Defender.
Our application exchanges messages between countries, messages which often contain attachments. Since there is no particular integration with Windows Defender, we place all messages in a temporary folder for 10 minutes immediately after downloading and before starting to process them. This approach is supposed to give enough time to Windows Defender to scan the messages and the attachments.
The concerns we have are related to this 10 minutes ‘time-window’ we allow to Windows Defender for scanning the messages. Is it enough or we need to increase it? For how long should we wait in order to make sure the messages we take from that temporary folder are scanned – regardless of their number or their size?
What does it mean 'Real-time protection' and how does it work? Do we really need to wait 10 minutes to make sure the files are scanned? Is it possible for a user or application to access/read/copy/run/use in any way an infected file before being scanned?
I should mention that our servers are not connected to internet but only rely on CLIENT features (offline signature database which is periodically updated). We do not use CLOUD threats intel as we cannot submit suspicious files to be analyzed due to GDPR constrains.
Thanks in advance for your clarifications.
George
Oct 12 2021 08:07 PM
Oct 12 2021 11:01 PM
Hello @Jake_Mowrer,
Thank you for your answer, but it doesn't reply to my question - 'Is it possible for a user or application to access/read/copy/run/use in any way an infected file before being scanned?'
What if we have millions of received files with sizes varying from few KB to 2GB? This could be a real life production scenario. I also worked for Microsoft and I would expect a clear answer - Yes, the real time protection will ensure all files are scanned before accessing them in any way. No user or application cannot read that file before being scanned. Or No, you should wait 1 hour to be 100% sure before starting processing the files. The purpose of my question is to shorten the processing of European cases with 10 minutes per segment - which should decrease the waiting time at European level with millions of minutes per day in total.
I understand your explanation about the benefits of cloud features but our servers do not communicate with Internet as being included in a secure enclosed network - this has been decided long ago by all participant countries after long debates and it is unlikely to be changed.
The only benefit I see for keeping the files on disk for 10 minutes is to hope that 'Detonation-Based ML Models' will analyze a suspicious file and detect it as virus in this short interval (see the attached screen). But since we do not submit samples, this benefit is only theoretical.
Thanks again but I still wait for clarifications on Real-time protection.
George