The on-demand scan cache file is used during Manual
Scan, Scheduled Scan, and Scan Now. Security Agents do not scan files whose caches have been added to the on-demand
scan cache file.
Each time scanning runs, the Security Agent checks
the properties of threat-free files. If a threat-free file has not
been modified for a certain period of time (the time period is configurable),
the Security Agent adds the
cache of the file to the on-demand scan cache file. When the next
scan occurs, the file will not be scanned if its cache has not expired.
The cache for a threat-free file expires within a certain number
of days (the time period is also configurable). When scanning occurs
on or after the cache expiration, the Security Agent removes
the expired cache and scans the file for threats. If the file is
threat-free and remains unmodified, the cache of the file is added
back to the on-demand scan cache file. If the file is threat-free
but was recently modified, the cache is not added and the file will
be scanned again on the next scan.
The cache for a threat-free file expires to prevent the exclusion
of infected files from scans, as illustrated in the following examples:
-
It is possible that a severely outdated pattern file may have treated an infected, unmodified file as threat-free. If the cache does not expire, the infected file remains in the system until it is modified and detected by Real-time Scan.
-
If a cached file was modified and Real-time Scan is not functional during the file modification, the cache needs to expire so that the modified file can be scanned for threats.
The number of caches added to the on-demand scan cache file depends on the scan type
and its scan
target. For example, the number of caches may be less if the Security Agent only scanned 200
of the 1,000 files in the endpoint during
Manual Scan.
If on-demand scans are run frequently, the on-demand scan cache
file reduces the scanning time significantly. In a scan task where
all caches are not expired, scanning that usually takes 12 minutes
can be reduced to 1 minute. Reducing the number of days a file must
remain unmodified and extending the cache expiration usually improve
the performance. Since files must remain unmodified for a relatively
short period of time, more caches can be added to the cache file.
The caches also expire longer, which means that more files are skipped
from scans.
If on-demand scans are seldom run, you can disable the on-demand
scan cache since caches would have expired when the next scan runs.