Resident Protection: Standard Shield -- Advanced

[satyr]

Hey all after some time. I am curious, in the Avast: few questions in regard to Standard Shield's settings thread that I opened few month back, I was told that On-Access Protection's "excluding" mechanism is directory recursive ...


So if I would like to exclude from On-Access protection any files under the directory:

D:\Program Files\Firefox\profiles\profile1\


... then putting the string below under Advanced tab in "On-Access Protection Control" window:

D:\Program Files\Firefox\profiles\profile1\*.*


... would exclude also the sub-directories, especially the one below for which it's crucial to be scanned:

D:\Program Files\Firefox\profiles\profile1\Cache\


And now finally to my question. What is in your opinion the best way to do this, i.e. to exclude only those file in that "profile1" folder, but not all its sub-directories?? Maybe just to add the respective separate file-names, like for instance: "bookmarks.html", bookmarks.bak", XUL.mfl" etc. ??


P.S. -- These files are the most huge ones (and so scanning od them is the most "intrusive"), and the ones for which I am not afraid that they would be infected !!


Thanks much for any reply in advance, satyr

[igor]

One note first: maybe it's really what you want, but you should know that there is a difference between
D:\Program Files\Firefox\profiles\profile1\*
and
D:\Program Files\Firefox\profiles\profile1\*.*
- the second one requires the dot to be present in the path, so e.g. the file
D:\Program Files\Firefox\profiles\profile1\Cache\file_without_extension
is not matched (and not excluded) using such mask.

I'm afraid there's no way to exclude one folder only, without its subfolders - sorry.

Now, a few things about the exclusions in general: it's not really needed, and actually not a good thing to do, to exclude every little file you think is safe from scanning.
Scanning of a file is not that slow (I somehow doubt your bookmark has tens of megabytes). The resident protection (Standard Shield) implements some optimization techniques - it doesn't scan the whole file, but only the needed parts - so the file size may actually be irrelevant; it caches the previous result so if the file wasn't changed between two accesses/scans, it's actually not scanned again, etc.
(Well, I think that HTML and similar files are not scanned by default on reading, but rather on writing, so unless you changed the settings manually, you don't have to be worried about reading at all, and I'd say writing is not such a common operation here.)

So, the list of exclusions is meant for cases like:
1. You want to prevent a false alarm until it's fixed
2. You have a folder with known malware files and don't want to get rid of them
3. You want to exclude significant areas (such as a folder with gigabytes of movies, MP3, etc.) - even though this option mainly concerns the on-demand scanner, not Standard Shield
4. You want to prevent a specific conflict with a software that e.g. does some heavy writing into a log file, resulting in the Standard Shield rescanning the file again and again.

So, the list of exclusions is not meant to exclude a huge number of single files. First, as I said, it shouldn't be really needed, and second, the implementation is not really optimized for such a case. Every accessed file must be checked against each entry in the list of exclusions, so a huge list may actually result in a slowdown of the whole system. OK, it will probably be unnoticeable, but still... I advice against it.

[RejZoR]

If you want to exclude just fles in selected folder you use C:\FOLDER\*.*

But if you want to exclude anything in that folder you use C:\FOLDER\*

[igor]

Not true, I'm afraid.
Even the first mask will match the files in subfolders (the first asterisk matches the whole first part, including all the subfolders, and the second one the extension). The difference is mostly just the extension-less files (and even that may not be always true - there may be a parent folder with extension, and the extension-less files below are matched ).

[Lisandro]

It caches the previous result so if the file wasn't changed between two accesses/scans, it's actually not scanned again, etc.

I want to know where this is stored, I mean, where does this information is stored, how avast 'read' it, if it works only for a session (from boot to next boot), etc.
Thanks Igor 

[igor]

It's valid only for the current session, i.e. it's stored somewhere in memory.

[Lisandro]

It's valid only for the current session, i.e. it's stored somewhere in memory.

Thanks... seems this is faster (and more secure) than having a database (or checking SUM, MD5, etc. for files).
I suppose that the better you can do that, the better will be the antivirus performance.
Is it the secret of the 'new' engine you're developing for avast 5?

[igor]

Well, it's always a tradeoff - storing some kind of checksums accross reboots would be faster [the file access, I mean] (provided you have a method to quickly verify the checksum - which is actually questionable), but the security is lower, of course.

I don't know if there's anything to change about this in avast! 5.

[satyr]

Thanks much all for educative explanations/replies !!


satyr

[satyr]

Well, I think that HTML and similar files are not scanned by default on reading, but rather on writing, so unless you changed the settings manually, you don't have to be worried about reading at all, and I'd say writing is not such a common operation here.

Well, as far as I know it is, i.e. the file is being written-to every time I add/remove/modify a bookmark (and I think on few other such "events" too), and of course on each and every browser opening/closing ...


satyr

[igor]

Sure - that's exactly what I meant by uncommon operation :-)
I mean, there are hundreds of files scanned during the system start and later, when you start applications - so if the bookmark file is rescanned 10 times, it really doesn't make any difference. If the file is changed every few seconds, then it would be different - but I believe it's not the case here (even though the browser might store the time of last visit in the bookmark file... don't know how fast your browsing is .