Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: gtaillandier on November 30, 2003, 02:13:43 PM

Title: Boot scan
Post by: gtaillandier on November 30, 2003, 02:13:43 PM
Does someone know how I can only scan memory at boot time ?

I have avast!4.

Sincerely.
Title: Re:Boot scan
Post by: Lisandro on November 30, 2003, 03:38:45 PM
Let me guess, you have to execute:

"C:\<avast folder>\Ashquick.exe" "*STRT-MEM-SHORT"

1. You can put a link for this into the StartUp folder
2. You can set it into Run section on Windows Registry

Title: Re:Boot scan
Post by: igor on November 30, 2003, 05:05:57 PM
If "at bootime" means "from the avast! boot-time scanner", than I guess you can't do it. I think it wouldn't have much sense anyway - the viruses would not be active (in memory) at this moment.
Title: Re:Boot scan
Post by: gtaillandier on November 30, 2003, 05:15:12 PM
Yesterday, when I've lauched "avas! antivirus" it has detected a virus while scanning memory and startup items. But I've received  previously me message.

It asked me for boot-scan and I answered Yes. When I started my computer again, Avast has scanned the PC for viruses. Nothing was found.

Can  someone explain me why I didn't got message, and why it has found someting wrong ?

Thank you for an answer.
Title: Re:Boot scan
Post by: igor on November 30, 2003, 05:20:19 PM
Do you remember what virus did avast! announce when scanning your memory (and startup items) - and maybe what was the filename?
What did you do with the warning message - you only selected "Schedule boot-time scan" and restarted immediatelly, nothing else?
Title: Re:Boot scan
Post by: gtaillandier on November 30, 2003, 06:29:56 PM
Sorry, but I don't remember what avast! announce and I've not written it.
It seems me it has asked if I want to scan or repair ( or something like that ) and I've chosen to schedule boot time scan and restart.
If I'll have such case in the future, I'll write the informations avast! give and what all what I do.

Is someting written in logs when avast! detect virus ?

Sincerely.
Title: Re:Boot scan
Post by: gtaillandier on November 30, 2003, 06:56:06 PM
Thank you for the ashquick ....

Is it possible to launch it before Windows starts and is there other parameters than "*STRT-MEM-SHORT" ?

Thank you for your help.

Sincerely
Title: Re:Boot scan
Post by: igor on November 30, 2003, 09:30:43 PM
What exactly do you mean by "before Windows starts"?
Title: Re:Boot scan
Post by: gtaillandier on November 30, 2003, 09:41:34 PM
When I turn my PC on, it tells me the version of BIOS ( I can hit Del ) indicates the amount of RAM. I would like to start Ashquick at this moment ( if possible ) before launching Windows ( autoexec, start... ).
I'm under Windows XP home edition
Title: Re:Boot scan
Post by: igor on November 30, 2003, 09:48:11 PM
Sorry, it's not possible.
The avast! boot-time scanner is a special NT module - which can be executed before the full OS is loaded. The aswQuick program, however, is an ordinary Win32 application - it cannot be started that soon.
I don't know for sure, but I think the boot-time scanner doesn't support the special areas (such as the scan of "startup" items). As I already said, scanning the memory doesn't have much sense at this moment (i.e. it's not supported either I guess).
Title: Re:Boot scan
Post by: Lisandro on November 30, 2003, 11:06:06 PM
Igor, if you read again my post you will see I said to use ashquick at 'login' time (by the link at startup folder) or 'after' the OS is lauched (by the Run Registry Command)...

You're right, the ashBoot.exe won't scan anything if you manually delete the 'area' to be scanned into Windows Registry, nor even the memory and won't make much sense to scan at this time.

Maybe the user can use avast 7.0 for DOS but it will be a little complicated to configure the Windows XP boot to do it...  ;)
Title: Re:Boot scan
Post by: gtaillandier on December 01, 2003, 09:01:29 PM
I've inserted a link in Startup menu and all is OK.
Is it possible to gie Ashquick other parameters than
STRT-MEM_SHORT
Title: Re:Boot scan
Post by: Lisandro on December 01, 2003, 09:08:21 PM
I've inserted a link in Startup menu and all is OK.
Is it possible to gie Ashquick other parameters than
STRT-MEM_SHORT

ashQuick program is the Explorer Extension that, just like avast! and ashCmd, is a scanner for viruses. It is usually used to scan files from the local context menu, e.g. from Explorer. In other cases, it is better to use avast! or ashCmd.

For ashCmd commands, see help file in topic 'ashCmd Program'
I think ashQuick does not allow so many 'others' parameters. This one is a 'secret' from our guru (Vlk)  :P
Title: Re:Boot scan
Post by: gtaillandier on December 01, 2003, 09:22:07 PM
I have the free version of avast! ; I haven't found ashcmd ( in same folder than ashquick )
Title: Re:Boot scan
Post by: igor on December 02, 2003, 09:41:22 AM
ashCmd (the command-line scanner) is really not avaialble in the Home version, it's limited to Professional version only.

As for the other "secret" areas... you may try *STARTUP-SHORT to scan the startup items for the current user (i.e. the modules loaded in memory are not included, unlike *STRT-MEM-SHORT) or *STARTUP that will scan the startup items for all the users (sometimes, it may take a while to load the registry hives for the other users).
Title: Re:Boot scan
Post by: Lisandro on December 02, 2003, 03:51:48 PM
ashCmd (the command-line scanner) is really not avaialble in the Home version, it's limited to Professional version only.

As for the other "secret" areas... you may try *STARTUP-SHORT to scan the startup items for the current user (i.e. the modules loaded in memory are not included, unlike *STRT-MEM-SHORT) or *STARTUP that will scan the startup items for all the users (sometimes, it may take a while to load the registry hives for the other users).

How, some un-documented features or secrets are being revealed...  8)
Thanks Igor.

Sorry gtaillandier, I do not realize that you are not using the Profesional version...  :'(
Title: Re:Boot scan
Post by: stevejrc on December 02, 2003, 04:22:16 PM
I added ashavast.exe to startup programs, it loads the (pre-simple interface) splash screen up and scans memory and startup programs once there all started after booting.

I noticed that the screen saver can scan memory block, whilst ashavast.exe only scans programs in memory and startups. The screen saver scan picks up win32:sqlslammer worm in memory block but the  ashavast.exe scan doesnt. So I assume memory block is different to programs in memory.
Title: Re:Boot scan
Post by: Vlk on December 02, 2003, 05:14:21 PM
In avast home, to scan entire memory, including the blocks, you can run

ashQuick.exe "*MEMORY"

That will be equivalent to the scan that the Screen-Saver is doing.


Vlk
Title: Re:Boot scan
Post by: stevejrc on December 02, 2003, 07:37:31 PM
thanks,

So is the following correct, to sum things up: (parameters)

"*STRT-MEM-SHORT"  memory & user startup
"*MEMORY"                memory blocks and memory
"*STARTUP-SHORT"    user startup
"*STARTUP"                all users startup

Can more than one session be used at startup ie "*MEMORY" then "*STARTUP".

I assume user/all user startup scans means all applications, as it appears to scan programs that arent actually started during startup process.

Cheers

I just tryed giving ashquick.exe 2 parameters and it appears to work in one session "*MEMORY" "*STARTUP"       COOL   ;D
Title: Re:Boot scan
Post by: gtaillandier on December 02, 2003, 08:20:08 PM
When I select "Schedule boot-time scan", the program starts correctly.

I haven't found the entry in Windows Xp registry, can you give me the full key name.

Is it possible to add a parameter such "*STRT-MEM-SHORT" ?
Title: Re:Boot scan
Post by: igor on December 02, 2003, 08:35:06 PM
stevejrc: Yes, I believe you can give ashquick more arguments (separated by commas?).

The STARTUP arguments are scanning all sort of "auto-start" entries. You are right that some of the files may not be automatically started in fact, but it's better to scan more than less. I think these "auto-start" entries also include the "App Paths" key (kind of Windows equivalent of the old DOS PATH environment variable) - that's probably where the non-automatically started apps mostly are. However, I'd rather keep it this way - it's really mostly "autostart" items, or the items that are rather close to "autostart" :)

gtaillandier: I think the boot-time scanner does not support these "special" areas (unlike ashquick) - as Technical already explained, IIRC.
Title: Re:Boot scan
Post by: stevejrc on December 03, 2003, 01:42:59 AM
thanks,

My startup shortcut reads as follows without commas and works fine. I checked the items scanned and it was correct.

<avast folder>\ashQuick.exe" "*MEMORY" "*STARTUP"

This is cool, I also setup 3 desktop icons one same as above, one with "*MEMORY" and another "*STARTUP".

I believe most AV's dont offer memory block scanning, only programs in memory. AVAST does!!! which is cool, thats where the sqlslammer worm was found. And AVAST is just as quick as Panda was at scanning even on thorough scan and Panda never found sqlslammer (no block scan).

I recommend using the above in startup folder. ;D maybe a possible option in future versions?
Title: Re:Boot scan
Post by: Lisandro on December 03, 2003, 02:00:28 AM
My startup shortcut reads as follows without commas and works fine. I checked the items scanned and it was correct.
<avast folder>\ashQuick.exe" "*MEMORY" "*STARTUP"
This is cool, I also setup 3 desktop icons one same as above, one with "*MEMORY" and another "*STARTUP".
I believe most AV's dont offer memory block scanning, only programs in memory. AVAST does!!! which is cool, thats where the sqlslammer worm was found. And AVAST is just as quick as Panda was at scanning even on thorough scan and Panda never found sqlslammer (no block scan).

Wellcome to avast!  ;)

I recommend using the above in startup folder. ;D maybe a possible option in future versions?

Please, why don´t you post this suggestion at the WISHLIST (http://www.avast.com/forum/index.php?board=2;action=display;threadid=57)?  ;)
Title: Re:Boot scan
Post by: igor on December 08, 2003, 10:03:31 AM
One important thing I should say:

Replacing *STRT-MEM-SHORT by *MEMORY and *STARTUP-SHORT may not be the best idea. The reason is the following: the *MEMORY parameter causes avast! to scan the operating memory of the computer (i.e. the true virtual memory). The *STRT-MEM-SHORT scans (besides the startup items) the modules loaded in memory (i.e. the corresponding files, not the real memory).
While the *MEMORY parameter may catch unknown (packed) variants of viruses that may not be detected on disk (they can be found since the packed file is already unpacked to memory), it may also fail to detect the viruses for which only a packed variant exists (and the VPS does not contain a signature for the unpacked code). Generally, avast! virus database is optimized (and checked) for the file detection - the "memory scan" is rather a special additional feature.

So, if you want a real thorough check of the memory/startup, I'd rather recommend using both the parameters *STRT-MEM-SHORT and *MEMORY together (or, *MEMORY, *MEMORY-SHORT and STARTUP for all the user accounts).
Title: Re:Boot scan
Post by: Vlk on December 08, 2003, 03:18:44 PM
Just to make it clear - the areas for ashQuick.exe should be separated by semicolons. Like

ashQuick.exe "*MEMORY";"*STARTUP-SHORT"


Hope this helps,
Vlk