Sunday, January 11, 2009

Antivirus and Last Access timestamps

Last October I blogged about Time and Time Stamps . I have recieved a question in relation to Antiviruses and their ability to preserve the Last Access timestamp of files that are scanned by such AV.

I desided to post a quick answer here.

Corporate and Retail Antivirus solutions are usually designed a bit differently. Many corporate information systems are utilising various File Replication Services, Migration of files based on last access date and Backups. A non compliant Antivirus solution my result in excessive replications, long or failed backups of unchanged files, and failed security audits that are depending on Last Access timestamps.

A good example a corporate Antivirus solution that deals with such issues is Norton Antivirus (NAV) Corporate edition. To my knowledge since NAV version 7.61 Symantec includes "Preserve file times" option. This option allows restoring the Last Access timestamp of files that are scanned by NAV "Auto-Protect" module. See attached image of NAV Corp v 10 for details.


"During a scan, NAV will save various attributes of the file (file attributes, the security descriptor GetFileSecurity, last access timestamp, and so forth) before the scan so that the file can be restored to its original condition.... " Microsoft Article ID: 284947

On the time forensics site you can find a resonable quality research paper by K. Chow, F. Law, M. Kwan, P. Lai called "the Rules of Time on NTFS" that describes the relationship between file searching tools, Antiviruses and the Last Access Time Stamp. Just keep in mind that there are also Corporate Antivirus Solutions and other tools, which may be using defferent methods to open files.

No comments: