Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: DavidR on June 05, 2005, 08:42:42 PM
-
What determines the files that are scanned when avast! starts after WinXP boots?
The reason I ask is my Standard Shield scanned count after everything settles down (avast icon stops spinning after boot) is in the region of 800. However, my last one was in excess of 1000.
There are files that are being scanned that are in my program Files folders (I have two C: and D:) that are not used for weeks on end. One being my Time Synchronisation program but there are many like it being scanned and I really would have thought that only windows, memory, start-up, services and their associated files would need to be scanned and this shouldn't amount to around 800 on average.
My system is relatively clean with minimal programs running on start-up with only 30 processes running so for over 800 files to be scanned seems excessive. Not to mention it takes about 90 seconds to complete the scan.
Some time ago I believe this was going to be looked at to see what needed to be scanned after boot and if there was perhaps a way to allow user adjustment of what is scanned when avast starts?
-
It depends what type of files are scanned (if the provider's settings was not modified weirdly) - and what files are used by system during its starting (could you pls turn scanning notification on - that yellow/blue rectangle under clock? then it could tell you more...).
-
Could you pls turn scanning notification on - that yellow/blue rectangle under clock? then it could tell you more...
This could not work as avast takes a lot of time to 'be ready' and show the first notification, very after a lot of things are already loaded and loading... :'( :-\
-
I have been monitoring it in the last scanned file list in the detailed view of Standard Shield and it flits aroung wildly from C:\Program Files to d:\Program Files to windows\system32, etc too fast really to list all. I would assume that the 'Show detailed info on performed action' would be equally as fast as to prove difficult to read. I will enable it and reboot later and get back.
Provider settings are pretty standard:
- Scanner (Basic) all options ticked.
- Scanner (Advanced) scan all files on open, always scan WSH script files, Scan created/modified files all files.
- Blocker, default extension set, Allow the operation, the rest ot selected.
- Advanced - now Show detailed info on preformed action and the default list of locations not scanned.
-
Ok did that and as suspected it whizzes through the list so fast as to be difficult to identify much, or to possibly help.
Other than it would appear to be scanning virtually every .exe file on my system, which is obviously not true as a search for *.exe returns 1081 on C: and 547 on D:. This time it recorder 810 files scanned after boot.
I did find some strange folders being scanned. I have a folder for programs that don't require any registry keys, 'D:\Utilities-Non-Registry' for little utility programs and it would appear to be scanning .exe files in there (and sub folders) as well.
What I thought strange that I noticed a couple uninstall exe files flashing through.
They seem so random in the folder and files flipping from C to D partition Program Files (both) to windows, windows\system32, etc.
-
Well had a bit of a brain wave after mentioning my 'D:\Utilities-Non-Registry' folder (in the previous post), I thought why would it possibly look there. I have two additional toolbars that I created to speed access to useful programs that I use relatively frequently to avoid desktop shortcut clutter.
One of them is a shortcut to the Utilities-Non-Registry folder so I thought that this might be the reason for the heavy scan load (3 toolbars and all the 12 desktop shortcuts) so I disabled both of these toolbars and also disabled the quick launch toolbar and rebooted.
Rats, no difference, still scanned in excess of 800 files about 90 seconds before the avast icon stopped.
Any more ideas?
-
I'd be interested in an answer to this too as I have noticed that Avast! takes rather a long time to stop "spinning" after I logon.
-
Are you using Kerio Personal Firewall?
-
No, I'm just using the Windows Firewall (SP2).
My other security s/w is WinPatrol, SpyBot (no Teatimer), Spyware Blaster, Bit Defender (not resident).
-
Are you using Kerio Personal Firewall?
Not sure if that was directed at me, but no I use Outpost Pro as in my signature.
-
Vlk
Add me to this list of curious people and I use ZA.
As David said it takes a long time and seems to delay the boot process at least the actual access
after booting is delayed since it takes so long for the initial scan to complete.
-
Perhaps some feedback (by way of a poll, etc.) on the numbers of files scanned after boot, your OS and firewall may be of use?
Files Scanned = 300--500, 500-700, 700-900, etc.
OS Type =
Firewall =
-
Files scanned = 83
OS Type = Windows XP SP2 (aboout 1 month old)
Firewall = Windows XP firewall (This is my second computer, and I am behind a router)
-
Basically, there's no scanning on startup invoked by avast at all.
The files that are scanned are being opened by another program, and THIS invokes the scan.
E.g. the Office FastSearch (or how do they call it) feature consists in scanning your hard drives and indexing your files (same goes to Google and MSN Desktop Searches). As the files are being opened, avast scans them.
Normal value for XP users is about 300 files. That's a plain OS install and Standard Shield's settings on default.
Thanks
Vlk
-
I know the one you are talking about the Office (FastFind?) Indexing to supposedly speed opening that kept blipping the hdd LED, I disabled this years ago and I also disabled the windows Indexing Service in XP.
Back to the drawing board to see what could possibly accessing thes files causing avast to scan them.
-
I recommend Filemon http://www.sysinternals.com/Utilities/Filemon.html to find out which process is opening which files.
-
Files scanned = 173
OS Type = Windows XP Home
Firewall = Segate 5.6
-
I have it, but have never used it, not to mention getting it to run on/immediately after boot before things get taken over before avast starts scanning the accessed files effectively stopping any launched programs (filemon, etc.)
I will try to have it run on startup or create a shortcut and start it as soon as possible.
-
Well I added filemon.exe to the startup group, it seemed to take ages to load after boot but it did and I left it running until the avast icon stopped and I saved the log and closed filemon.
It was running for about 1-2 minutes and is 1.5MB in size with 13,692 lines phew. Well it didn't start getting interesting or displaying anything useful until about line 3000+ Then there were references by explorer.exe to Explorer.EXE accessing C:\Documents and Settings\All Users\Start Menu\Programs\
The main program/files that feature in the log are:
explorer.exe
ashServ.exe
csrss.exe
Outpost.exe
SnagIt32.exe
procguard.exe (free)
sgmain - SpywareGuard
sgbhp.exe - ditto
TSCHelp.exe
wuauclt.exe
svchost.exe
There really is too much to post here and to me there was little that I could interpret as the cause for the high number of files being scanned. I couldn't understand why they would be scanned as they are not startup programs and it would appear that ashserv.exe is scanning followed by explorer.exe is accessing them. This is obviously avast intercepting the open followed by allowing it if clean. However, I can't find anything that appears to be the originating request/call to explorer.exe to open the files.
The only possible assumption after the information overload of the filemon.log and no apparent reason to access or scan many of these files is; could some of these .exe files that are being scanned come from the fact that the icon is being extracted from the programs .exe file to display in the Start, All Programs Menu and their sub menus since icons are displayed in the lists?
I will happily send you the filemon.log 7zipped and more detailed info if you think it may help to get to the bottom of this?
-
(could you pls turn scanning notification on - that yellow/blue rectangle under clock? then it could tell you more...).
I have Avast4. Where do you turn the scanning notification on? I can find no yellow/blue rectangle anywhere. How do you get to it?
Thanks.
-
I have Avast4. Where do you turn the scanning notification on? I can find no yellow/blue rectangle anywhere. How do you get to it?
Go to Standard Shield provider settings (left click the 'a' blue icon).
Choose Customize and go to the Advanced tab.
Check 'Show detailed information on action performed' ;)
You can customize all this notification: color, size, number, font, etc... Click 'Settings' in my signature and browse the avast4.ini file thread 8)
-
Thank you. I'll work on it.
-
Bump - any more suggestions or solutions?
-
I had a look at the logs, but unfortunately, I'm unable to pinpoint a single cause. A number of programs is starting (Outpost, ProcessGuard, SnagIt etc..) and all of them generate some file system activity...
-
I bet on ProcessGuard... Brings a lot of trouble, more than solution and protection.
Disabling the firewall and boot could tell us if the problem is the interaction between Outpost and avast.
-
OK, I have done a number of further tests, disabling startup programs, rebooting and checking the Standard Shield scanned total after boot.
Disabled ProcessGuard Free Reboot Scanned Total: 803
Disabled SnagIt7 Reboot Scanned Total: 829
Disabled Outpost Pro Reboot Scanned Total: 833
No changes to maintain a stable registry and reboot Scanned Total: 783
So even after disabling the three programs (startup entries) mentioned there is no noticeable difference, certainly not one that would account for the excessive scanned total after boot.
Disabled SpywareGuard Reboot Scanned Total: 777 again no negligible difference.
Checked Windows Services and found ProcessGuard and Outpost still had services enabled on Automatic. Ended the processes, changed to Disabled and rebooted - Scanned Total 303.
Enabled Outpost Services on Auto and enabled Outpost Startup item and reboot - Scanned Total 803, bingo it looks like I have found the culprit Outpost.exe. I have no idea what or why Outpost should access a large number of files on the HDD. I have looked into the various settings in Outpost but can find nothing that may cause this.
Now what to do about it as I think it essential to have Outpost run on boot, otherwise I would have to manually start the outpost service and the startup entry. With Outpost completely disabled the scan in the low 300s reduces the time the avast icon spins. If I start Outpost the scan count jumps by 450-500, but this only takes a few seconds, the additional files that are being scanned after boot take considerably longer.
I had filemon enabled as a startup item so I have filtered occurance of outpost.exe, but that doesn't tell me much but it keeps accessing op_data.mdb. It may be possible that the contents of this file are accessing the files to check for changed content? I don't know I have no way of opening the .mdb file other than with a text editor and that returns little useful (to me) information.
Do any of the Alwil test systems run Outpost Pro and do they suffer this increased scan activity?
Any further information/suggestions, perhaps excluding outpost.exe and or op_data.mdb in avast4.ini (but where)?
-
I'm failry certain that ZA acts the same way and if it does, can provisions for those of us that use ZA also be made if
you find an answer for by-passing the Outpost startup scanning problem? Thanks
-
Hi DavidR :)
The op_data.mdb is outposts log file (if enable logging is ticked)
U can safely exclude the file in Avast, i do along with the op_data.ldb with no ill effects & a slight boost in boot & loadin time :)
If U always have snagit runnin at boot then that will slow things down (not sure if U have it runnin constant or just for testin)
I also exclude processguard's logfiles as they can be written to many times during boot.
HTH
BaNzI ;D
-
Sorry if I'm a little off-topic but, does anybody know how to configure Windows to start like Linux: the command lines, what is happening, etc. and not the logo? I want to know what is happening behind the logo and the progress bar but I can't... Maybe we can know by this way what is loading, into the logon screen could be the same :-\
-
@BanziBaby
OK I have added op_data.?db to the program settings, exclusions, the wildcard '?' does catch both files (I tested it using an on-demand folder scan); let's see if it has any effect on boot.
As you can see from my above post disabling SnagIt at start-up had no real effect on the scanned totals. I use it extensively, but I suppose I could start it after boot; I will have to check that out.
I have decided to uninstall ProcessGuard free, as it only protects one process and I think that it was Vlk who said it didn't provide the protection we think if the infection was able to disable processes it could do much more and saving 1 process would be ineffectual.
-
Further update, after excluding op_data.mdb and op_data.ldb, disabled SnagIt again and rebooted the Scanned Total was 761 so no major difference.
Manually started SnagIt and the scanned total only went up by 3.
So we are still in the same position of not knowing what and why outpost pro accesses on boot.
-
this might help you?
If nothing else you'll see that Avast! isn't alone (neither are you ;) )
http://www.agnitum.com/support/kb/article.php?id=1000030&lang=en
-
Thanks Toadbee, I have been doing some searching on the Outpost forum but found very little and was just about to post a new thread. So I will check out the KB article first.
-
Checked the KB article, outpost's solution useless, basically it is just recommending what I had already tried, exclude the .mdb file.
-
Update.
Well after a good number of useful responses to my query on the Outpost forum, I have received no direct reply as to what files outpost accesses on boot or why - What files does outpost access/check at startup and why? (http://outpostfirewall.com/forum/showthread.php?t=14167&page=1&pp=15)
I have an open support ticket about it awaiting a detailed (rather than automated reply) response.
I tried a number of things which had a limited or no effect at all.
Exclusions didn't work at all.
Disabling a number of other startup entries (SnagIt, etc.) very limited effect, confirming outpost was the cause of the excessive file activity and scans.
I also tried reducing the Standard Shield sensitivity to Normal from High (before disabling outpost), this had the desired effect reducing the scanned total from 800+ to 300. But I felt that this lowering of my AV defence wasn't acceptable.
It was only when outpost startup entry was disabled and the outpost firewall service was set to manual that there was a real effect, the scanned total dropped from 800+ to around 300.
Warning - It is important to ensure you start your firewall before you connect to the internet, so this may not be an option for those with a direct always on connection, for me on dial-up there is less of a problem.
Starting both the outpost firewall service and the outpost GUI manually was a bit of a pain and you have to do it in firewall service, GUI order. Fortunately someone on the outpost forum told me the run command to start the service net start "outpost firewall service" (with the quotes because of the spaces). So I created a small batch file 'OupostStart.bat' located in C:\ with a shortcut in the quick launch tool bar (to give one click outpost start).
The batch file had the line to start the service and the path to execute outpost.exe, which started the GUI:
Net Start "outpost firewall service"
"C:\Program Files\Agnitum\Outpost Firewall\outpost.exe"
-
I haven't see a whole lot of interaction from the Alwil team on this thread either.
The large amount of scans performed at boot up aren't only related to folks that use Outpost.
It also happens with ZA and probably many other Firewall programs.
I do know that my system takes a long time to boot. I usually start it and then just forget about
it for a while and do something else. (Yes I know I have a lot of programs that start when the computer starts.)
It shouldn't be that way. This was one of my main gripes about NAV. The big difference is that eventually-
avast! does stop it's morning ritual. NAV hogged my computer all day long. Guess what, I slaughtered that hog. ;D
-
I know I have a lot of programs that start when the computer starts.
Startup Delayer does a very good job in this case.
Other one is NetRun that controls 'when' you get on-line and start (or delay) the startup of programs. Here you can add all applications that you run only when connected.
-
Technical
I'm already using a program called Startup Faster 2004. That's not where the problem lies.....
-
I found a great utility that might help you out,
http://www.sysinternals.com/Utilities/Filemon.html
-
If you read the complete thread (reply #15, #17, #18) you will see I have used filemon and it doesn't turn up any easily interpreted information, rather the opposite it gives too much information. when set to run on boot (it still starts late to catch early boot activity) until activity stabilises after about 2 minutes the file generated is 1.5MB and 13000+ lines, murder to read.
-
Further update, I have re-enabled Outpost on boot but lowered the Standard Shield to Normal and that brings the total Scanned Count to around 250 - 300, more acceptable and my boot time to the avast! icon stopping is just under one and a half minutes.
However, there are still exe files in the Program Folder/s being scanned even though they aren't being started and I haven't used them in months.
-
I've also noticed quite a few un-install programs being checked during boot-up.
And these aren't for newly added programs either. ??? ???
-
Well I added filemon.exe to the startup group...
...there were references by explorer.exe to Explorer.EXE accessing C:\Documents and Settings\All Users\Start Menu\Programs\
[...]
could some of these .exe files that are being scanned come from the fact that the icon is being extracted from the programs .exe file to display in the Start, All Programs Menu and their sub menus since icons are displayed in the lists?
I think this is clearly a culprit, and the only one I need solved myself. When I backed up my start menu folders and deleted everything in them, my scanned count on startup dropped from about 230 to 12 (!!).
What can be done about this?
-
Well I added filemon.exe to the startup group...
...there were references by explorer.exe to Explorer.EXE accessing C:\Documents and Settings\All Users\Start Menu\Programs\
[...]
could some of these .exe files that are being scanned come from the fact that the icon is being extracted from the programs .exe file to display in the Start, All Programs Menu and their sub menus since icons are displayed in the lists?
I think this is clearly a culprit, and the only one I need solved myself. When I backed up my start menu folders and deleted everything in them, my scanned count on startup dropped from about 230 to 12 (!!).
What can be done about this?
Yes initially this was discounted (by some Alwil Moderators) as a potential cause of the high scan count but in a later response it was offered as a possible reason for the high scan count.
So I believe they acknowledge it as the cause/reason but I'm not sure what they can do to avoid it. If a file is accessed for anything other than read access I believe avast is going to scan it even on the Normal (lowest) setting for Standard Shield. So if a file is accessed with write access or what ever is required to extract the icon. I did suggest some way of giving a user different levels of boot scan to try and avoid this, it didn't draw a response.
As you have shown, no startup folder, little activity but that is a little severe a work around. So I too would like to see if there is a way of either not having windows display icons in the windows start menu folders or a way for avast to ignore this extraction of the icon in the exe files.
Short of excluding the start menu folder in standard shield, which could leave you very vulnerable, I can't see an easy solution.
-
Well, I excluded my start menu. (This does not make me feel super vulnerable, although I will probably move my startup folder to a different path.) Predictably, this only cut the count in half, no doubt because the shortcuts weren't scanned but the programs they link to were still scanned. It did not cut the busy time down to my satisfaction.
It's pretty dissappointing to find out that this is the way Avast works. Extracting an icon should not require a scan of the entire file containing the icon. I'm almost tempted to turn off the standard shield, or at least certain options in it. (What are OLE documents, by the way?) I'm far more worried about scanning my internet traffic, that's why I have an anti-virus program.
-
I think this is clearly a culprit, and the only one I need solved myself. When I backed up my start menu folders and deleted everything in them, my scanned count on startup dropped from about 230 to 12 (!!).
What can be done about this?
Hi everyone.
I have the same problem with all exe files getting scanned (fortunately only about 150 but still annoying). System is XP with Sygate Firewall, Spybot (not in startup), Spywareblaster (not in startup) and avast! Home with the Standard Shield set to 'normal' (the other five providers are also running). Tasks running on after XP startup is something between 30 and 40 (not very precise I know...).
I can assure that it is the explorer.exe that causes avast!-activity. Because if you kill explorer.exe through Task Manager due to a hang up and relaunch explorer.exe you'll have the same long avast!-activity (exe scanning) like on Windows startup.
What exactly did you mean with backing up your start menu folder? Did you move it away for one restart and re-"installed" it after the restart? Or did you move it into a completely new folder and left it there?
Excluding explorer.exe in the scan is definitive no secure solution and moving the start menu folder is also not the way I wanna solve this problem.
Last but not least a big applause for the avast! guys! I'm using it now for one and a half year and feeling safe ;-) I also recommended and/or installed it to some colleagues. How many anti-spyware programs do you use? I'm just wondering if the ones I have are sufficient.
-
***
Look in my signature below to see what I use ... plus I recently added ewido anti-malware. :)
***