The on-demand scan cache file is used during Manual Scan, Scheduled Scan, and Scan Now. Security Agents do not scan files whose caches have been added to the on-demand scan cache file.
Each time scanning runs, the Security Agent checks the properties of threat-free files. If a threat-free file has not been modified for a certain period of time (the time period is configurable), the Security Agent adds the cache of the file to the on-demand scan cache file. When the next scan occurs, the file will not be scanned if its cache has not expired.
The cache for a threat-free file expires within a certain number of days (the time period is also configurable). When scanning occurs on or after the cache expiration, the Security Agent removes the expired cache and scans the file for threats. If the file is threat-free and remains unmodified, the cache of the file is added back to the on-demand scan cache file. If the file is threat-free but was recently modified, the cache is not added and the file will be scanned again on the next scan.
The cache for a threat-free file expires to prevent the exclusion of infected files from scans, as illustrated in the following examples:
It is possible that a severely outdated pattern file may have treated an infected, unmodified file as threat-free. If the cache does not expire, the infected file remains in the system until it is modified and detected by Real-time Scan.
If a cached file was modified and Real-time Scan is not functional during the file modification, the cache needs to expire so that the modified file can be scanned for threats.
The number of caches added to the on-demand scan cache file depends on the scan type and its scan target. For example, the number of caches may be less if the Security Agent only scanned 200 of the 1,000 files in the endpoint during Manual Scan.
If on-demand scans are run frequently, the on-demand scan cache file reduces the scanning time significantly. In a scan task where all caches are not expired, scanning that usually takes 12 minutes can be reduced to 1 minute. Reducing the number of days a file must remain unmodified and extending the cache expiration usually improve the performance. Since files must remain unmodified for a relatively short period of time, more caches can be added to the cache file. The caches also expire longer, which means that more files are skipped from scans.
If on-demand scans are seldom run, you can disable the on-demand scan cache since caches would have expired when the next scan runs.