I will typically have A/V installed on my forensics box but please, please, please, if you do, make sure you're able to turn off active scanning and keep it off. That will be your biggest performance hit. Passmark's write up is excellent.
While regular examination things may not always be impacted, I know things like loading hash lists (especially when there are millions of records being written to a database) will have a major impact. I know in AXIOM I ran some tests with active scanning on vs off and it took almost 2 days to build a hash database. Turned off active scanning, less than 2 hours. That's a huge difference.
I'm actually a fan of Windows Defender for A/V scans however I struggle to control the active scanning on/off. I'll turn it off and a day later it will turn itself back on which becomes a problem so quite often I'll install something else over top of and disable Defender which gives me better control of the active scanning part of A/V.
So in short, I'm a big fan of doing manual A/V scans as part of my investigation but make sure you keep the active scanning in check or you'll have a bad time for many things.
Jamie McQuaid
Magnet Forensics
Thanks to everyone who has provided useful answers.
Has anyone had to instal and use AV software as part of ISO17025 accreditation?
I think it might be more of a requirement for the FSR Codes than actually 17025 but I assume you are doing both together? It was not raised specifcially during our initial assessments but we already had it in place so it could be they saw that and decided not to ask about it. We also were doing 17025 and codes seperately and this was 17025 assessment only.
I have used an Enterprise version of McAfee (organisation IT already had it set up for the corporate network) and as long as you turn off On Access scanning and exclude file paths of temp directories, export folders and other directories used by the forensic tools to function then it didn't cause a problem. We had ours set to do a local scan once a week on a Friday night, so even if it used some machine resources during that, it wasn't noticed.
Either way some kind of virus scanning software should be pretty straightforward to implement on a small network, the challenge is getting frequent definition updates without manually updating them every week, as I assume you won't have internet access. We had a specific one-way route created via a firewall to pull updates from an internal respository on the corporate network.