The benefit of the real-time scan method is that a file is scanned with the latest virus definitions before it is used. By using this approach, viruses can be detected before they compromise data.
When a user opens a file from the client, the virus scanning process operates as follows:
The vscan service determines whether the file needs to be scanned, based on whether the file has been scanned with the current virus definitions previously and if the file has been modified since it was last scanned.
If scanning is not necessary, then the process ends and the user is permitted to access the file
If scanning is necessary, the file is transferred to the scan engine.
If the transfer is successful, then the engine scans the file using the current virus definitions to determine whether the file is infected.
If the transfer fails, the process continues as follows:
The file is transferred to the next available scan engine that can perform the file scanning.
If no alternative engines exist or are available, virus scanning is considered failed and access to the file might be denied.
If no virus is detected, the file is tagged with a scan stamp and the client is permitted to access the file.
If a virus is detected, the file is marked as quarantined. A quarantined file cannot be read, executed, or renamed but it can be deleted. The system log records the name of the quarantined file and the name of the virus and, if auditing has been enabled, an audit record with the same information is created.