On-write Protection is disabled by default

Showing results for 
Show  only  | Search instead for 
Did you mean: 

On-write Protection is disabled by default

L3 Networker

Hi everyone, 

Just wondering how's the performance or resource is impacted when this protection is on, i bet it would have certain impact as this is "Disabled" by default. or any other concerns if ON?

Any experience to share?


Life is full of surprise,
Just embrace it!

L4 Transporter

Hi @SeanDeHarris, thanks for reaching us using the Live Community.


The on-write protection should not generate too much impact on the endpoints, because this module only starts a scan when the written file is an executable or a script. The scan workflow is the same when a file is executed, first it will ask to Wildfire about the reputation, and if the reputation is good, no other scan will be executed.

If you want to test if first, I'll recommend you to create a new malware profile, enable this feature, and assign it to a group of endpoints to monitor the performance behavior.



If this post answers your question, please mark it as the solution.


Hi @jmazzeo 


When one reads the name of the module, normally comes to mind every kind of file writing events, not only the executables or scripts. Couldn't find the exact info about it in the docus. Do you have a link to the source of this info, where perhaps I can get more  also on other modules? 


Thanks in advence.

This is a screenshot that we can share from our internal docs about the On-Write file protection file types and some other useful information:




If this post answers your question, please mark it as the solution.


Thanks @jmazzeo , this is helpful.👍


As far as I see, even as admin I have only the option to turn it on or off, Enabled/Disabled, in Malware Prevention Profile from the Console. So, no option to use this protection type in monitoring only mode (no "Report" only option), if enabled it will detect and prevent in any case. Is that correct?

That toggle is to enable the ability to send the written files to analysis. The actions are made by the usual modules as is mentioned in the last bullet on the screenshot.

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!