The OfficeScan client can build the digital signature and on-demand scan cache files to improve its scan performance. When an on-demand scan runs, the client first checks the digital signature cache file and then the on-demand scan cache file for files to exclude from the scan. Scanning time is reduced if a large number of files are excluded from the scan.
The digital signature cache file is used during Manual Scan, Scheduled Scan, and Scan Now. Clients do not scan files whose caches have been added to the digital signature cache file.
The OfficeScan client uses the same Digital Signature Pattern used for Behavior Monitoring to build the digital signature cache file. The Digital Signature Pattern contains a list of files that Trend Micro considers trustworthy and therefore can be excluded from scans.
Behavior Monitoring is automatically disabled on Windows server platforms and cannot be used on 64-bit platforms. If the digital signature cache is enabled, clients on these platforms download the Digital Signature Pattern for use in the cache and do not download the other Behavior Monitoring components.
Clients build the digital signature cache file according to a schedule, which is configurable from the web console. Clients do this to:
Add the cache for new files that were introduced to the system since the last cache file was built
Remove the cache for files that have been modified or deleted from the system
During the cache building process, clients check the following folders for trustworthy files and then adds the caches for these files to the digital signature cache file:
The cache building process does not affect a computer’s performance because clients use minimal system resources during the process. Clients are also able to resume a cache building task that was interrupted for some reason (for example, when the host machine is powered off or when a wireless computer’s AC adapter is unplugged).
The on-demand scan cache file is used during Manual Scan, Scheduled Scan, and Scan Now. Clients do not scan files whose caches have been added to the on-demand scan cache file.
Each time scanning runs, the client checks the properties of threat-free files. If a threat-free file has not been modified for a certain period of time (the time period is configurable), the client adds the cache of the file to the on-demand scan cache file. When the next scan occurs, the file will not be scanned if its cache has not expired.
The cache for a threat-free file expires within a certain number of days (the time period is also configurable). When scanning occurs on or after the cache expiration, the client removes the expired cache and scans the file for threats. If the file is threat-free and remains unmodified, the cache of the file is added back to the on-demand scan cache file. If the file is threat-free but was recently modified, the cache is not added and the file will be scanned again on the next scan.
The cache for a threat-free file expires to prevent the exclusion of infected files from scans, as illustrated in the following examples:
It is possible that a severely outdated pattern file may have treated an infected, unmodified file as threat-free. If the cache does not expire, the infected file remains in the system until it is modified and detected by Real-time Scan.
If a cached file was modified and Real-time Scan is not functional during the file modification, the cache needs to expire so that the modified file can be scanned for threats.
The number of caches added to the on-demand scan cache file depends on the scan type and its scan target. For example, the number of caches may be less if the client only scanned 200 of the 1,000 files in a computer during Manual Scan.
If on-demand scans are run frequently, the on-demand scan cache file reduces the scanning time significantly. In a scan task where all caches are not expired, scanning that usually takes 12 minutes can be reduced to 1 minute. Reducing the number of days a file must remain unmodified and extending the cache expiration usually improve the performance. Since files must remain unmodified for a relatively short period of time, more caches can be added to the cache file. The caches also expire longer, which means that more files are skipped from scans.
If on-demand scans are seldom run, you can disable the on-demand scan cache since caches would have expired when the next scan runs.
To configure cache settings for scans:
Networked Computers > Client Management
In the client tree, click the root domain icon to include all clients or select specific domains or clients.
Click Settings > Privileges and Other Settings.
Click the Other Settings tab and go to the Cache Settings for Scans section.
Configure settings for the digital signature cache.
Select Enable the digital signature cache.
In Build the cache every __ days, specify how often the client builds the cache.
Configure settings for the on-demand scan cache.
Select Enable the on-demand scan cache.
In Add the cache for safe files that are unchanged for __ days, specify the number of days a file must remain unchanged before it is cached.
In The cache for each safe file expires within __ days, specify the maximum number of days a cache remains in the cache file.
To prevent all caches added during a scan from expiring on the same day, caches expire randomly within the maximum number of days you specified. For example, if 500 caches were added to the cache today and the maximum number of days you specified is 10, a fraction of the caches will expire the next day and the majority will expire on the succeeding days. On the 10th day, all caches that remain will expire.
If you selected domain(s) or client(s) in the client tree, click Save. If you clicked the root domain icon, choose from the following options:
Apply to All Clients: Applies settings to all existing clients and to any new client added to an existing/future domain. Future domains are domains not yet created at the time you configured the settings.
Apply to Future Domains Only: Applies settings only to clients added to future domains. This option will not apply settings to new clients added to an existing domain.