Are these 'workstations' batch processing these "millions of tiff images"? If so, I take it that then there's no interactive physical 'console' access, right? Then forget active scanning and go with a passive method. Passively scan the local filesystems in the off hours when there's no processes on them.

Isolate these hosts on private RFC1918 space. Use deep packet inspection to actively scan anything going between the hosts and publicly routed IPs for viruses and malware.

Been thinking like that, but the rub is the turnover. Typically within 24- 48 hours or less the images come in, are processed, and back to the client.

Still mulling something like this.
Thanks!

I use Eset smart security for my home computer. My neighbor is a professional IT guy who works with programming and the communications systems for local law enforcement. He is the one who recommended Eset as that is what he uses. My desktop runs much faster with Eset over Norton or McAffe.

I can't help you with advice for using it for a network. I dabbled in that a little in high school and college but never pursued it.

The way I'm viewing the problem of anti-malware software affecting I/O on the processing hosts is that these hosts that are doing the tiff processing should be secured at the physical layer (hosts should not be touched by non-IT personnel; no one should be logging on at console and launching a web browser or email client) and network layer (hosts should be isolated from everything else on the network; private VLAN/subnet).

This will maximize the local I/O (CPU, disk, memory bus) since the anti-malware won't be needed at the application layer of the hosts.

Then run some sort of tap dividing the private VLAN containing the processing hosts and the rest of the network (intra and inter) to a box designed to do deep packet inspection of the inbound traffic (and outbound if you so wish) to scan for malware. Or, you can build a host to function as the 'firewall', with multiple interfaces (one public and one private vlan), and have the deep packet inspection occur on the firewall box and let it decide whether or not to forward that traffic to the other interface.

This architecture is the only way I can think of totally maximizing the resources on your processing hosts, since anti-virus/anti-malware will never actually be taking place on the hosts.

I know this is how some CGI, special effects, etc shops isolate their processing servers, since they not only deep packet inspect for malicious data, but they also want to ensure data isn't getting leaked (e.g. someone trying to exfiltrate yet to be released footage of production films).

My preferred Vendor - http://www.virtualgraffiti.com/

Product - ESET Business Edition Products (Network AV with Management)

Call them for best prices...