About AV Scan

 

Back to tool Introduction.

 Back to tool Documentation of Tool Functions

 

Because we sequence without Antivirus/Antimalware software running, it is necessary to ensure that the package is clean as soon as is practical.

Different Antivirus/Antimalware vendors have different kinds of logic that affects when the malware will be found.  Within an AV vendor implementation, the thoroughness of checking can vary depending on the operation. Ultimately, it appears that all vendors will locate malware before it is too late for the end-user, but some will detect earlier more often.  When App-V is used, it tends to delay detection due to three reasons:

  1. The App-v format is an archival format (eg Zip compression).  During certain kinds of detection, some vendors may not look inside the file or, even if they do, they might not look inside of archive files inside the App-V archive file.
  2. The App-V file uses an extension not known to most AV vendors.  Some use he extension to detect that the file is an archive format while others look at the file header to determine this.
  3. Streaming at the client causes AV vendors to not see malware as it is copied into the App-V local cache, instead, detecting the problem only when the file is read from the local disk for use.

After sequencing a package, a copy of the package to a network share may or may not trigger a thorough detection depending on the vendor.  Usually it does not.   Adding, Publishing, and Mounting the package at a client will usually not trigger detection either.  but almost always a full system scan after mounting, or running the infected application in a way to cause the malware to be read off of disk, will trigger detection.

AV Scan in AppV_Manage is designed to understand the capabilities of some AV Vendor software, and trigger detection on demand without the need to run a full system scan.  In some cases, the vendor will support a full scan of the cache folder for the package, which is usually much faster than a full disk scan.  In other cases, we can trigger detection by reading in each of the files in the package.  And in some vendors, but not others, we cannot catch malware in a double embedded archive without a full scan.

AppV_Manage will detect many AV vendor products.  This detection is shown on the Tool Configuration tab.  Hovering the mouse over the detection will tell you what the AV Scan can and cannot do for your situation.  It may recommend a full disk scan to ensure clean packages.

To Use AV Scan, Add, Publish, and Mount the package on the Publishing Tab of the Tool.  Then click on the AV Scan button located to the right of the Mount button.  App-V Manage will usually now know if any problems were found during the scan, but typically the AV software will notify you when a problem is detected.  Check your AV Vendor documentation for how to view the scan results.