Why Your Antivirus Needs Real-Time Scanning
Posted on November 9th, 2017 by Jay Vrijenhoek and Derek Erwin
Real-time scanning is one of the most important features in any antivirus product. With manual scanning, files are checked for malware only when a scan is run. You will not find an infected file until after it is downloaded and you choose to run a scan; but, at this point, the damage may be done! With real-time scanning, your antivirus constantly checks files as they are accessed.
If you attempt to download malware, real-time scanning will catch it immediately and not allow it to damage your system. For instance, if you receive an email with a malicious attachment or if you inadvertently download a malicious installer, it will detect and quarantine the file before you have a chance to open it and potentially infect your Mac with malware.
Despite how useful real-time scanning is for malware protection, Intego routinely encounters questions about this feature — it’s evident that it is something of a mystery to many Mac antivirus users. In this article, we’ll try and answer some of the common questions that users have raised about the need for real-time scanning.
Can I just scan my Mac periodically?
Of course you can! But with real-time scanning you only need to run a full system scan once, when you install the antivirus product. After the full system scan is done, real-time scanning can keep an eye on every piece of data that enters your system going forward. A full scan can take a decent amount of time to run and typically uses all of your available system resources, which is likely to impact system performance until it’s done.
With that in mind, a lot of users postpone a scan until it’s more convenient or cancel a scheduled scan because now is not a good time. Before you know it, a month has passed and no scan was done. A lot can happen in that time, which can put your system at risk.
Real-time scanning takes very little system resources, and it takes the human element out of antivirus protection, so it is the preferred way of keeping a system malware free.
Does real-time scanning slow down my Mac?
It used to. But this was over a decade ago when most Macs only had a single processor with a single core. Having just one processor core to handle everything that goes on in macOS (and the applications and processes you run) is a big task! In the past, real-time scanning would often interrupt or delay those tasks, resulting in a noticeably slow system. Limited amounts of memory (RAM) and typically much slower storage (HDD) exacerbated this performance impact.
These days, however, the vast majority of the Macs in use have at least two processor cores of multiple GHz and the same amount of virtual cores. Having 4, 8 or 16 GB of RAM is also common, as well as fast hard drives or solid state drives. This gives a typical system more than enough resources to handle everything that goes on, including real-time scanning of an antivirus product.
Why can antivirus scans take so long to run?
A consequence of running a full system antivirus scan (and even a scheduled scan) is how long it can take when scanning archives, which is the process of extracting and scanning large amounts of files. Occasionally when scanning archives it can appear like a scan is “stuck” on a file for an extended period of time. This can give the impression that a scan is hanging and unable to complete as the progress bar stops moving for what could be a long period of time, and no doubt can be frustrating from a user perspective.
With real-time scanning, you can safely skip scanning archives. If an archive does have malware, it will get picked up when you expand the archive. Without real-time scanning, it will be missed until the next time you run a scan. Therefore, an antivirus without real-time scanning will best protect you by taking the high road and scanning archives, because this is the only way it would detect if an archive has malware. That said, full system scans are technically not necessary these days because of real-time scanning.
For instance, our VirusBarrier X9 products offer a real-time scanning engine that is turned on by default and therefore it is safe to skip archive scanning when running a full scan. Contrarily, our VirusBarrier Scanner does not include a real-time scanner, and we believe that for the benefit of your security we should scan archives by default — even if it takes longer to run a scan. The downside is that this means scans can take significantly longer, but the upside is that we feel you are better protected!
How does real-time scanning combat malware?
The average person receives over 120 emails a day across all email services they use; this is a combination of subscriptions, work, personal and spam email. While email attachments used to be uncommon due to limited Internet speeds, mailbox sizes and attachment size limits, these days almost every email has an attachment. This can be an image, PDF or, more commonly, an email signature with formatted text and a logo of some kind in it. The little paperclip icon in your Mail client is incredibly common now, thus it is largely ignored.
If just one of these attachments is malicious, and your next scheduled antivirus scan is still 9 hours away, chances are you will open the email with malicious attachment long before that scan starts. Real-time scanning will catch the malicious attachment probably before you even realize you received the email.
The same goes for files you download, either intentionally or unintentionally (think pop-ups and spam sites), and files that make their way onto your Mac via file sharing, data transfer from a flash drive, etc.
What is network real-time scanning?
Another kind of real-time scanning applies to network traffic. Real-time scanning by an antivirus solution focuses on specific strings of data that match known malicious patterns. (This is how it can catch that malicious Flash Player installer before you get a chance to open it.) Network real-time scanning — in other words a two-way firewall scanning inbound and outbound connections in real-time — focuses on similar patterns. It can allow or deny incoming or outgoing network traffic based on which application is sending or receiving data and what location you are in; for example, more stringent rules when you’re on a public Wi-Fi network and less stringent rules when you’re on a trusted home network. (RELATED: Why You Need an Outbound Firewall.)
There is also real-time scanning that applies to content within the above mentioned network traffic. These kinds of real-time scanners make sure emails, chats and websites with potentially harmful content is blocked. This is a great way to protect children while they use a computer.
Real-time scanning is what ultimately keeps your Mac free from unwanted code whether it’s an email attachment, malicious installer or network traffic.Did we answer all of your questions concerning antivirus real-time scanning? In what scenario would you prefer periodic, manual malware scans instead of real-time scanning? Have something else to say about this story? Drop us a comment below!