Comment by londons_explore
1 year ago
Even defender is dumb. When you control the OS, which (in the default setup) has exclusive control of all disk reads and writes, you can be sure that if you wrote a virus-free file to disk, then it will be virus-free when you go to read the disk again.
So, why are we doing scan-on-read (with substantial performance overhead) when we should instead be doing scan-on-write (when scanning can, in most cases, be done in idle CPU cycles)?
1) virus database gets updated, what was written virus-free with the previous database may not be virus-free on the current database.
2) removable storage devices
3) the system drive is not controlled during reboots
You could imagine building a system that tracks which files we wrote and with which virus database version, which resets things to be scanned across reboots and virus database updates, and has exceptions for removable devices and so on, but it screams "attack surface"...
Network share, the possibility that a client wrote files while the AV software was disabled, etc
I always felt the same way about daily/weekly scans. How would anything get there if your client, server, etc all have AV? At that point it probably wouldn't be caught anyway.