Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ady4um on August 30, 2009, 03:14:34 PM

Title: Vista search and Avast 4.8 performance
Post by: ady4um on August 30, 2009, 03:14:34 PM

I noticed some behavior has changed after updating from Avast Home 4.8.1335 to 1351.

I'm using Vista Home Basic 32 bits.

I have a FAT32 partition, which includes a folder with old DOS free antivirus utilities. Those utilities are inside zip files.

I was using the search function of Vista over the FAT32 partition, including non-indexed files, and the search is configured to search also inside zip's and cab's.

I was searching files that are NOT related to the above mentioned DOS antivirus utilities, but for simplicity I selected the whole volume as the search location, with the name of the file I was looking for.

I have searched this partition before, just as described. While performing a simple search with Vista's search utility, Avast 4.5.1335 was not popping about those utilities.

With previous versions, if I scanned the specific folder or the whole partition with an on-demand scan, Avast *did* advice me about finding those utilities as viruses. Obviously, since I know for sure that those files are valid antivirus utilities, I simply continued the scan.

Now, while performing a simple search with Vista's search utility, the updated Avast 1351 detects those old DOS antivirus utilities as viruses. I haven't seen this behavior until updating to version 1351.

What really concerns me right now is this:

Is Avast now checking/scanning each and every file that Windows Vista searches?

If the answer is affirmative, Does this mean that while performing a search with Vista's search utility over all my HDD, Avast is scanning the whole HDD?

In this context, I'm referring to searching all fixed partitions including also non-indexed locations.

Has this behavior changed from version 1335 to 1351?

Of course, I may be wrong. I recognize that it is possible I changed some configuration in Vista's search utility and that's why Avast now pops about those utilities.

I would appreciate any useful comments. Thank you in advance.
Title: Re: Vista search and Avast 4.8 performance
Post by: Mr.Agent on August 30, 2009, 03:57:25 PM
If you wanna know what 1351 did change go there http://www.avast.com/eng/avast-4-home_pro-revision-history.html If im not wrong i dont think its has something for Vista changed...

What kind of Vista you use ? SP1 or SP2 Home Basic 32 Bits ?

PS : If u want more clear respond to your thread i would wait if you think i did not respond it.

Title: Re: Vista search and Avast 4.8 performance
Post by: DavidR on August 30, 2009, 04:01:16 PM
New packers are added or improved, so it is possible that what was previously not unpacked and scanned. When they do eventually get unpacked and scanned then the unencrypted signatures in old DOS antivirus utilities could be detected.

Version 4.8.1351
August 17, 2009
# improvements in some unpackers (WinExec, Installers, Droppers)
# various fixes and improvements in the scanning engine
# Standard Shield: stability improvements in the kernel-mode drivers
# preparations for smoother migration to v5 (when it's released)

If a file is opened with write permission, generally avast will scan it, so if the Vista Search opens files rather than for read permission but write permission it may be possible avast will scan, but that function I believe was in earlier versions. I don't use Vista so I can't test that.

If you keep these old utilities in the same folder then you could exclude them from scans.
Title: Re: Vista search and Avast 4.8 performance
Post by: ady4um on August 30, 2009, 06:54:40 PM
Thank you for your posts.

To answer your questions, my OS is Vista Home Basic x86 (32 bits) with SP1 and updated regularly (I didn't install SP2 yet, but all other updates are installed until 2009-08-28). I'm using version 4.0 of Windows Search for Windows Vista (KB940157), which is the same included in Vista with SP2.

Before I posted I did read Avast's change log. But as I said, when I (on-demand) scanned the folder/partition with previous Avast versions, those files indeed were recognized by Avast, so this is not an issue. I mean, there is no difference about it. (I even checked this using Avast Log Viewer to be sure, and the files were logged just the same while scanning with version 4.8.1335).

David, I'm inclined not to exclude folders from the AV scan as a general rule. Firstly, I'm not performing an on-demand scan every day, but only when something "strange" happens. Secondly, there is always a chance some new malware could "fall" inside some excluded location without the user even knowing. In my particular case, I'd rather read a few messages and click to continue when running an on-demand scan. Of course other users could choose otherwise, according to their preferences and specific systems. To be perfectly clear, I'm not *advising* to anyone else to use one method or the other.

Now, about my questions. Maybe I didn't explained myself clear enough. For now, just for now, I'm leaving the "virus/antivirus tools" problem of Avast aside, since I'm not really worried about those old AV tools.

For the purpose of this discussion, let's assume the system is absolutely "clean" of malware and there are no false positives.

If I start a search, Vista displays the search results according to the configuration and filters. By doing this, I'm not opening *every* file inside the search's locations. I'm not opening every file of the results either. Vista has the possibility to search inside zip's and cab's, and to index also file contents. In my particular case, I'm searching also non-indexed locations (specially when including a FAT32 partition as part of the search's locations). I don't know if there are some read/write permissions involved just by searching.

While performing a search, it seems like Avast 4.8.1351 is scanning each and every file the search engine evaluates, even when the evaluation result is not to include the file in the search results' list.

A_ Is this assumption true? (Maybe the answer depends on my Avast settings?)

It seems to me that previous Avast versions, 4.8.1335 for example, behaved somehow differently.

B_ Is this correct?

C_ In case that indeed Avast 4.8.1351 is checking every file evaluated by the Vista search engine, is this scan necessary to prevent some malware behavior?

I've been using Avast in this PC for almost 2 years, and I use Vista's search function quite frequently (including searching the FAT32 partition I mentioned before), but this is the first time I see pop ups about this DOS utilities just for being part of a search (not an on-demand scan). That's what brought my attention to this changed behavior.

I hope I'm clear enough now. Thank you in advance.
Title: Re: Vista search and Avast 4.8 performance
Post by: DavidR on August 30, 2009, 07:18:15 PM
That is your choice not to exclude folders, etc. you could step it up by excluding the exact file name and path. That however is more typing, but it only needs to be done once.

Sorry but I can't comment on anything related to Vista as I don't use it so can't test.

As I said the results of updates which include more packers and improvements in the scanning engine are likely to scan more files. But as an avast user like yourself, I'm not privy to anything more detailed than the update information I posted.

As you say depending on your avast settings, if the Standard Shield is set to High (Normal is the default), then it would scan all files opened, so the search looking inside the file could initiate that.

Again as I said if the search function opens a file with write permission rather than read, it is more likely to cause avast to scan, but I don't know that as I don't have Vista nor its search function.

So this would need some input by one of the avast developers and they are somewhat busy with the push for avast 5.0, with an ongoing 5.0 beta, so I don't know if one of them will pick up on this topic.
Title: Re: Vista search and Avast 4.8 performance
Post by: ady4um on August 31, 2009, 04:45:12 AM
David, thank you for your post.

I think you are missing my point.

First, about the exclude list. It's not that I don't want to write the whole path. The only reason I mentioned the whole antivirus utilities issue is because this behavior brought my attention to the change in Avast 4.8.1351 I'm really interested about. So forget about it, at least for now.

Second, I understand about setting Avast to High, as oppose to Normal scanning. I didn't change those settings. They are the same now, while using 4.8.1351, than before with 4.8.1335 version. BTW, I use High scan mode. But again,*I* didn't change those settings. So, for the purpose of this discussion, this has nothing to do with my questions.

Now, either

A) *the update* to 4.8.1351 did change some Avast setting (not the user), or,

B) sth in the way Avast scans (heuristics or sth similar) was changed, or,

C) the way Avast reports those issues, or,

D) some combination of the above possibilities.

My suspicion is that all this has nothing to do with Vista, so if any other user is using XP or any Windows version, this changed behavior might be happening there too.

There is a "simple" way to test all this. Just having a system with a previous Avast version, like 4.8.1335 or 4.8.1229, setting all Avast providers to High, and saving the test EICAR file somewhere inside a zip file. Then, making a search of any filename you want (it doesn't matter), while including as a search location the folder where the zipped EICAR test file is saved, and including non-indexed files in the search. Also, the search options should include searching inside zip's and cab's.

Performing the same procedure but with Avast 4.8.1351 and comparing between both behaviors, should give a clue whether there is some change related to this issue or not.

Although it is not a complex test, I don't have enough resources to perform it. If any Dev would be so kind to check this issue, I think it even be worthy in relation to the next Avast 5.0, since the current 1351 version was released to improve compatibility to perform the update when 5.0 will be available. Anyone would want complaints about Avast 5.0 interfering with previously-simple tasks?

If I perform a simple search over my whole HDD, and Avast is scanning each and every file evaluated by the search, and assuming that previous versions were behaving differently, then general performance *will* be punished.

I just want to be sure this changed is necessary for better security, and not a useless waste of performance.

Thank you in advance.
Title: Re: Vista search and Avast 4.8 performance
Post by: DavidR on August 31, 2009, 03:08:08 PM
I can't help with your suspicions, as I said I'm just an avast user like yourself and over and above what is published in the change log for updates (previously posted), I don't know the details behind it.

So as I said, this would need some input by one of the avast developers.

In XP pro I can search for eicar (as I have several samples, see image), yet even on High avast doesn't alert on my search, nor does it open zip files, it only shows two files having been scanned on initiation of the search and they are related to the search and not the files searched.

So the only difference in our systems is you are on Vista and I'm using XP Pro, so the search function is obviously different in how they open files/folders to search. So not having Vista I really can't help find why this happens.
Title: Re: Vista search and Avast 4.8 performance
Post by: ady4um on September 01, 2009, 02:59:07 AM
David, thank you for your post.

I noticed your EICAR files were in excluded folders. I hope you performed the search test over some non-excluded location, as I did.

Would it be valid to make the same search test in XP, but with an EICAR test file not zipped? The purpose is to know if Avast is behaving differently than before, while performing an "advance" search (including non-indexed locations/files).

I don't know *that* much about search functions differences between XP and Vista. It is possible XP can't search inside zip's and cab's. I suppose then you are right, I would need somebody with Vista and to configure the search engine the same way I did.

Do you remember I said Avast recognizes those old DOS antivirus utilities inside zip files? Well, looking into Avast log, I noticed that the folders Avast is logging are not the original ones, where I performed the original searches, but folders in the "temp" folder.

What I *don't* know is, if Vista's search engine is the one using this temp location to expand those zip files and search inside them, or actually is Avast who is using this location to scan the contents of those zip files.

Moreover, I had to delete those files in the "temp" folder manually. So with this 4.8.1351 version, there is a PERFORMANCE issue, and a waste HDD space issue.


In any case, this behavior is new for me, and it didn't happen before updating to Avast 4.8.1351 (I double-checked using Avast Log Viewer).


Again, would it be valid to make the same search test in XP, but with an EICAR test file not zipped? The purpose is to know if Avast is behaving differently than before.

I wish someone with Vista could check this issue. A Dev would be even better, so he can really know what's the difference between versions, so to improve it.

I don't want to double post, but maybe I should post this in "bug reports" as a link to this post? Avast is not crashing, but performance and behavior *are* different than before.

Does anyone could confirm this changed behavior, either in XP or Vista?

Thank you in advance.
Title: Re: Vista search and Avast 4.8 performance
Post by: DavidR on September 01, 2009, 02:47:39 PM
I disabled the exclusion before doing the search, so that didn't get in the way.

If you check my image again you will see that there were eicar test files not in zip files.

When it is avast unpacking something then that is unpacked in the _avast4_ sub-folder of Temp and the file names of temporary unpacked files take this form, UNP999999.tmp, where 999999 is a random number. So if they aren't in that folder or in the file name format then they weren't unpacked by avast.

Again if avast didn't unpack them or they weren't in the _avast4_ folder then it wouldn't clean up after another program. avast does clear its temp sub-folder on completion of any scan.
Title: Re: Vista search and Avast 4.8 performance
Post by: ady4um on September 01, 2009, 05:57:06 PM
David, again I thank you for your patience and for all your posts.

According to your explanation, even if it is based on XP, it seems I will have to play around with several Vista's Search configurations, search locations, and Avast sensitivity.

Still, if anyone using Vista could add his own experience, or even better a dev could check this issue, that would be appreciated.
Title: Re: Vista search and Avast 4.8 performance
Post by: DavidR on September 01, 2009, 06:12:09 PM
I take it that the file names and location you mentioned previously weren't avast's _avast4_ folder or unpacking files ?

I'm surprised that no Vista users have joined the topic as there are very many of them.
Title: Re: Vista search and Avast 4.8 performance
Post by: spg SCOTT on September 01, 2009, 06:46:23 PM
Hi ady4um,

I have tried to replicate your symptoms somewhat...

I have placed the various eicar files into two folders, one indexed, one not.

I then searched from 'My Computer' (including non-indexed files - advanced search) and apart from taking some time, there was no alert. I am guessing that there may be something else in the mix, but am not sure what it could be...


Title: Re: Vista search and Avast 4.8 performance
Post by: ady4um on September 02, 2009, 07:33:59 AM
Hi Scott,

Thank you for your post.

After the first time I saw this behavior, I tried to reproduce it. So 1 day after the first time, after rebooting and after doing several other things not related to Avast and not related to the problematic folders/files, I checked this behavior again. Since it was reproducible, I decided to come here and post my questions.

But now after playing around with Vista search configuration so to identify the problem, I can't reproduce this behavior again. I don't know if something else changed, either in Avast configuration or elsewhere in Vista, but I *can* be sure I did not change Avast settings manually.

I manually re-scanned with Avast the folder with those old DOS antivirus tools, and they are still there, so that item did not change.

Some of the Vista Search configurations I "played" with:

-always search names and contents
-include subfolders
-partial matches
-don't use index when searching the file system
-include system directories
-include compressed files

-Avast High sensitivity in each and every provider.

I will post again if I encounter this strange behavior again, and I would appreciate anyone finding something similar to post also.

Thank you in advance.