Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: streetwolf on July 02, 2008, 02:06:46 PM
-
Running 4.8.1216 but happens on the current release too. Vista x86 with SP1.
Example:
When I click on my Start Menu then click on All Programs then just open up an entry and just point to an executable it is scanned by the Standard Resident Shield.
All I have checked off for this shield is to scan executed programs, nothing else. Obviously just placing my cursor over the entry does not execute it IMO.
-
Could it be that Superfetch is preparing to pre-load the application when you hover over the the menu shortcut?
-
My understanding of SF is that the loading takes place when Vista is booted up. Could be all the Start Menu programs are preloaded and avast! interprets things incorrectly, ie the program is being executed when pointing the mouse over one of these programs. Just grasping at straws here.
If you place the pointer over an executable in Explorer no scan is done as far as I've seen.
-
What you don't mention is what sensitivity setting you have the Standard Shield on (Normal is the default) ?
I don't see any such activity when having a rummage through the All Programs, though a) I'm not using |Vista and b) the standard shield is on Normal sensitivity.
-
I have a customized standard shield. Just scanning program executes on the first tab. Not even scanning for DLL's.
This action might well indeed be Vista related.
-
Actually all I need to do is open the folder in the All Programs list and avast! will scan all the executables. I don't need to point to anything in the folder.
I also see this with ObjectDock where I have a folder that contains shortcuts to my different programs. It is a drop down menu and it opens slowly the first time I click on it. Avast! is scanning for executables. However it doesn't always do the scan after the first time.
-
I use Rocket Dock, again no scanning, so it looks like you might be right on the Vista issue.
-
Any folder that contains a shortcut gets scanned when you open the folder. It's got to be Vista related.
-
Some time ago I'm sure there was something like this where when you opened folders, exe files were opened so the icon could be extracted and displayed in windows explorer, I don't know if this could be a possible if it is checking/opening the target.
Though this doesn't happen for me and XP ???
-
Even if this is the case I am only telling avast! to scan executed programs not ones that are opened. So either way something isn't kosher.
-
I checked and it doesn't work like that for me (no scanning you describe occurs).
So, what exactly are your Standard Shield settings? Scan files on open - disabled, Scan created/modified - disabled?
Do you have any application installed that might "touch" the files you open from the menu (don't know, some special skinning, themes stuff... or maybe some other resident security application that might trigger the access)?
-
I checked and it doesn't work like that for me (no scanning you describe occurs).
So, what exactly are your Standard Shield settings? Scan files on open - disabled, Scan created/modified - disabled?
Do you have any application installed that might "touch" the files you open from the menu (don't know, some special skinning, themes stuff... or maybe some other resident security application that might trigger the access)?
Standard Shield has everything disabled except for the scan of executed programs and the 3 items under it. I also have the option enabled to show details on performed actions.
I just installed the demo version of 4.8 pro on a vanilla Vista SP1 system I run under VirtualPC. It behaved just like my 'real' machine. The target program in folders with shortcuts are being scanned when the folder is opened.
It seems that once a folder is opened and scanned I can open the same folder without it being scanned for a time. Eventually it gets scanned again.
Keep in mind I am running Vista Ultimate x86 with SP1.
-
It's a Vista phenomenon.
Following Streetwolf's initial post I checked the Standard Shield box "Show detailed info on performed action" on a Vista Home Basic SP1 machine to see what happens. As I clicked on each "folder" in the Start Menu, the full path of each of the shortcuts was listed in the pop-up as having been scanned by Standard Shield. XP does not behave this way even if I set the Standard Shield to scan "All Files".
-
I check on Vista, just not with SP1... maybe SP1 phenomenon then?
-
streetwolf,
please download the fixed driver version:
x86 binary: http://public.avast.com/~kurtin/flt_pub1/i386/aswMonFlt.sys
amd64 binary: http://public.avast.com/~kurtin/flt_pub1/amd64/aswMonFlt.sys
please let me know if it helps, thanks for your cooperation ;)
-
streetwolf,
please download the fixed driver version:
x86 binary: http://public.avast.com/~kurtin/flt_pub1/i386/aswMonFlt.sys
amd64 binary: http://public.avast.com/~kurtin/flt_pub1/amd64/aswMonFlt.sys
please let me know if it helps, thanks for your cooperation ;)
Tried the x86 version and it did NOT fix the problem. I placed the file in system32/drivers and rebooted.
If you looked at my other post you will see that many types of files are being scanned even though I specified the ones I wanted to be scanned.
-
How to test if my links are being scanned into Vista 32bits SP1+?
-
How to test if my links are being scanned into Vista 32bits SP1+?
Just click on one of the folders in your Start Menu under All Programs. Just about all of them have shortcuts. Also make sure you set the option in the Standard Shield to 'show detail on performed action' so you will see the popup
-
streetwolf, I don't have good news for you :-\
I've debugged some Vista system libraries and found out, when shortcut files are read, their EXE files are opened with the same method which is used for execution. In general, it's not even so easy to identify when a process is going to be launch. Standard Shield doesn't know it; it only assumes the opened file may be used for execution. Unfortunately, Vista opens those .lnk files (and .exe files) with the same flags which are used for execution. Anyway, these EXE files are scanned just once - rescan will only happen if they are changed.
Tested at Vista and Vista SP1 platforms.
-
PK
Does this mean that the performance impact of any AV's on-access scan engine will be amplified in propertion to the scanner's inefficiency by Vista's inherent "Linkscanner"-like behaviour?
-
streetwolf,
please use this fixed version, I guess we've solved the problem:
x86 binary: http://public.avast.com/~kurtin/public/flt_02/i386/aswMonFlt.sys
amd64 binary: http://public.avast.com/~kurtin/public/flt_02/amd64/aswMonFlt.sys
thanks.
-
This new module took care of the shortcut problem. No popups and no messages in the Resident log. Nice going.
Now how about the other issues with both Standard and Web shield scanning files that they should not be scanning? Under web shield I only specify exe,rar,zip files to be scanned, yet I see loads of popup messages for all kinds of files. There is a lot of scans of jpgs and gifs from my TIF. Just had a flv file scanned from a website. Not for every site mind you. Are these the orphaned memory mapped files mentioned in my other post about this?
I assume that when I tell avast! to only scan certain extensions it will do just that. Unless I am assuming incorrectly.
-
memory mapped issue has been already fixed
Could you please identify if the problem was with Std Shield or Webshield? i.e. you can turn on "Show detailed info on performed action" either in StdShield settings or in Webshield settings. If it's StdSheild issue, what settings do you have in "Scanner (Advanced)" window?
-
First off does the new aswMonFlt.sys module 'fix' the memory mapped issue? If so I want to use the Resident Protection log from this point on to gather files that I believe are being scanned when they shouldn't.
Secondly, I think it would be useful to indicate in the Resident Protection.txt log which shield produced the entry.
Since the new module I've had .json files and a. vidt file scanned from the Web shield. These came from www.cnn.com when clicking on a video.
Also my meager web site www.shap721.com produces this in the log:
http://cgi-wsc.chi.us.siteprotect.com/cgi-bin/CMForum/ahw050inxsel11a988f69e2?cc=0.21385138523430758&lang=en&country=US
Also got this one from the Standard shield:
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2ACN16GB\catbg[1].jpg
So far it appears I am not getting as many 'false' scans as before. So far only the ones I just mentioned.
My advanced settings in the standard shield are all disabled. Nothing is checked.
To reiterate, my standard shield is set up just to scan executed programs. My web shield is set up to scan only exe,zip,rar files. That is it.
-
After I just booted up my machine into Vista I looked at the resident log and saw that everything that is on my Start Menu was scanned. This includes the targets of links.
Also a bunch of other stuff was in the log. Here's a section of the log with this other stuff:
:\Users\Streetwolf\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\Streetwolf\AppData\Local\Microsoft\Feeds Cache\index.dat
C:\Users\Streetwolf\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008070520080706\index.dat
C:\Windows\SoftwareDistribution\AuthCabs\authcab.cab
C:\Users\Streetwolf\AppData\Local\Microsoft\Feeds Cache\index.dat
C:\Users\Streetwolf\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008070520080706\index.dat
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
C:\Users\Streetwolf\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\wbem\repository\INDEX.BTR
C:\Windows\System32\wbem\repository\OBJECTS.DATA
C:\Windows\System32\winevt\Logs\System.evtx
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
C:\Windows\System32\wsqmcons.exe
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx
C:\Windows\System32\wbem\repository\MAPPING2.MAP
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx
C:\Windows\System32\wbem\repository\MAPPING1.MAP
C:\Users\Streetwolf\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
C:\Users\Streetwolf\AppData\Roaming\Microsoft\Protect\CREDHIST
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
-
Questions without answer...
How to test if my links are being scanned into Vista 32bits SP1+?
PK
Does this mean that the performance impact of any AV's on-access scan engine will be amplified in propertion to the scanner's inefficiency by Vista's inherent "Linkscanner"-like behaviour?
-
streetwolf, I've made some new changes and you can use this new driver:
x86 binary: http://public.avast.com/~kurtin/public/flt_03/i386/aswMonFlt.sys
amd64 binary: http://public.avast.com/~kurtin/public/flt_03/amd64/aswMonFlt.sys
Also note, scanning on-exec is not enough, you should turn DLL scanning on (except System DLLs, of course), but it's up to you...
Tech,
> How to test if my links are being scanned into Vista 32bits SP1+?
1) Turn off everything in "Scanner (Basic)" and "Scanner (Advanced)" windows.
2) Turn "Scan execututed programs (and all its three nested checkboxes)" in the first tab.
3) Terminate Standard Shield provider.
4) Start Standard Shield provider.
5) Click at Start button, click at "All Programs", open "Accessories" folder and LNK/EXE files will be scanned.
-
This new aswMonFlt.sys seems to have done the trick regarding all the needless scanning that was done at boot time.
My Start Menu is no longer being scanned and I did not see in the log any of the other files. I'm seeing nothing but exe's and dll's (I took your advice).
Regarding dll scanning on the Basic standard shield. There is no option to disregard system dll's. That appears only under the advanced tab for opening files. I disable all of the advanced stuff. Is the basic dll scanner supposed to ignore system dll's on load?
And in this regard does avast scan the files Vista's Superfetch loads into memory at startup time? SF slows things up all by itself. Having avast in the mix can only make it slower (I suppose).
I'll do more testing and get back to you. My interest is with the standard and web shield.
-
Regarding dll scanning on the Basic standard shield. There is no option to disregard system dll's. That appears only under the advanced tab for opening files. I disable all of the advanced stuff. Is the basic dll scanner supposed to ignore system dll's on load?
Yes, try to disable everything from advanced tab, except "do not scan system dlls on load" and check "scan dlls" on the Basic tab.
And in this regard does avast scan the files Vista's Superfetch loads into memory at startup time? SF slows things up all by itself. Having avast in the mix can only make it slower (I suppose).
Since Standard shield will not scan system DLLs at startup time, it should be fast. After Vista loading, you can check report log (or number of scanned files) and see what files have been scanned.
If you find out something interesting, please post a comment to let us know. Thanks.
-
pk:
What about all those other files I posted that are getting scanned? You never said if they should or shouldn't be getting scanned.
Even some of my favicon.ico are getting scanned. As are some jpg's and lots more stuff. What is causing these files to be scanned? IMO they shouldn't be scanned the way I have my shield set up.
-
streetwolf, what did you set on the Advanced tab? it should be only "scan on-open" (no extensions!) and "do not scan system dlls".
-
streetwolf, what did you set on the Advanced tab? it should be only "scan on-open" (no extensions!) and "do not scan system dlls".
I have those settings at the moment and it appears that only executables including dll's are being scanned.
When I reported all those 'other' files being scanned I didn't have anything checked on the Advanced tab. Are you saying that in order not to scan the files I reported you need to set the Advanced tab as you indicated? I figured not checking anything was what I wanted to only scan executables. Seems I was wrong. If this is true then I think it's a little confusing regarding the relationship between the basic and advanced tab.
As far as the Web shield goes I am seeing a similar thing. I specify only certain extensions to be scanned yet I see other extensions being scanned. As a test I checked the option to scan files of selected type but didn't fill anything in. When I go to my web site www.shap721.com it scans some sort of file. I also saw a 'flv' file being scanned at another site www.gamecopyworld.com. I suppose a flv file is some sort of flash video? Placing *.flv on the exclude list prevents it from being scanned as well as placing the URL that pops up at my web site. I would think that nothing should be scanned with my settings.
-
I suppose a flv file is some sort of flash video?
http://filext.com/file-extension/FLV
-
Everytime I replace aswMonFlt.sys with the new one you posted here (the second one) that one gets replaced by an older version probably after my second start of Windows.
I noticed this because my shortcuts were being scanned again.
Any idea who is reverting aswMonFlt.sys back to a previous version? Is it Vista or avast!. How do I keep the new version?
-
avast! did that.
I thought, driver will not be replaced, because I've digitally signed it...
You can rape avast4.ini to disable replacement, but I'd suggest you to wait for new avast! build - it should be released within some hours.
-
It should be released within some hours.
I'm waiting ;D
Where is it? ??? uh, uh...