Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: DavidR on February 24, 2012, 06:53:15 PM

Title: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 24, 2012, 06:53:15 PM
The file system shield activity has greatly increased in the final release build as has been shown in some other posts. Currently on my system 19118/0 files scanned and my system has never had this kind of activity in the FSS. Many posts make this figure look positively low, with over 57,000 scans.

I recently noticed that the FSS is constantly scanning a file winpatrol.exe, now this should have been added to the Transient cache after the first scan of this file. Having excluded that file from scanning in the FSS exclusions, I'm now noticing many other such repetitive scans of files on my system

So that file shouldn't be scanned again unless you reboot or have a VPS update or the file changes. That file was clearly not being added to the Transient cache.

Whilst compiling this post and doing some checking of my settings, the FSS activity has climbed to 19890/0, I also added an exclusion (full path) for another file (C:\Program Files\Agnitum\Outpost Firewall Pro\op_mon.exe) being constantly scanned yet that even after exclusion is being scanned.

So it would appear that there is also something wrong with the FSS exclusions

EDIT added another exclusion C:\Program Files\FireTrust\MailWasher2010\MailWasherPro.exe and that one seems to have taken.

The activity is now up at 21223/0 and it appears to be cycling through .exe and dll files also javascript session store files, even though they too are excluded.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Vlk on February 24, 2012, 07:08:39 PM
The transient cache has indeed changed little bit because of the changes in streaming updates and filerep.
It looks like some process is constantly touching these files on your system.
Can you try e.g. ProcMon to find out who it is?

Thanks
V;l
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: iroc9555 on February 24, 2012, 07:23:08 PM
@ Vlk

I am in the same situacion. Avast! 7 sticks with one file over and over. Avast! does check other files while you use them but it returns to the same file again afterward. If I add the file, HPQste08.EXe in this case, to the exclusions or stop the process, Avast! just picks another and stay with it. I have stopped or added about 5 files and Avast! just picks another.

It looks like some process is constantly touching these files on your system.
Can you try e.g. ProcMon to find out who it is?

I will see what it is. Report back later.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Dch48 on February 24, 2012, 07:28:24 PM
Mine shows 7181 scans in the last 24 hours. What has drastically increased is the Script Shield activity which is showing 27,769 scanned scripts in the last 24 hours.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 24, 2012, 07:30:41 PM
Well essentially like the transient cache, nothing has changed on my XP Pro system either.

Even with the streaming updates, which aren't that frequent plus I don't have an entry in defs for a stream today at all, the UI Updates shows the last stream update as yesterday, so that shouldn't trigger a Transient cache reset. So why the constant cycling through files.

So what am I looking at in the ProcMon ?
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: MikeBCda on February 24, 2012, 08:28:09 PM
David, since your last post was less than an hour ago, I presume you're still having this problem?

It must vary considerably from one user's system to another ... I did get the same thing with repeated scanning of FirewallUI.exe, as I'd noted in another thread somewhere (the main "Final released" one, maybe?), but adding the PCTools folder to my File Shield exclusions (not the global exclusions, under Settings) cleared that up nicely yesterday and -- so far, at least -- avast hasn't found another file "worthy" of the same attention.  The tooltray icon remains at rest unless something's actually happening.

Between that, and the extremely useful tip of resetting ShowSetupOutro in the INI to get rid of that phoenix-like "finish installing" thing, I think I've finally got my avast back into normal running condition, plus of course the new features.  Speaking of which, since the new auto-sandbox so far has too small a database to be of any use, and insists on terminating nearly anything I start, I've simply disabled that until it's more functional, like the WebRep will hopefully become.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 24, 2012, 08:49:47 PM
Well continues apace, but as far as being a problem goes it doesn't really impact on my system performance, it is just that this never happened before and essentially with the Transient cache it shouldn't happen.

Even with the streaming updates (of which I have had none today) does clear/reset the transient cache the file should be scanned once and not perpetually.

I have added a few exclusions, but that is shooting the messenger and not solving the problem (and there are a great many such files in this cycle), this simply shouldn't happen.

The activity/files scanned count is currently on 28844/0.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: YoKenny on February 24, 2012, 10:02:54 PM
I added WinPatrol to my Exclusions and it greatly reduced the number of events in FSS on my XP Pro system.

I see no problem with WinPatrol in FSS on my Windows 7 system.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 24, 2012, 10:12:27 PM
Generally not a problem on my win7 netbook, but that doesn't get as much use is on standby most of the time.

But the XP Pro system the stats activity looks like a profile of the Alps. Scanned count now at 33,673/0
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: iroc9555 on February 25, 2012, 12:10:32 AM
After a clean install, all remain the same ( sound like a song ). It does not matter if I exclude the file, Avast! just get stuck with another. After 3 hours with the new install, I have in FSS about 130.000 files scanned. This is unbelievable.

Beside the automatic vps update when installing I have not got any more updates, vps 120224-1, and I have this disturbing " Connection not stablished " sign that I have no idea what it means.

@ Vlk

So what am I looking at in the ProcMon ?

Like davidR what am I looking at when using Process Monitor ?
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 01:15:33 AM
The Connection not established related to the cloud services for the streaming updates. Your normal VPS updates would be unaffected by this as far as I'm aware.

If there are no streaming updates that shouldn't trigger a transient cache reset, as I mentioned before; so there would be little reason then for the subsequent scans of an individual file. Even if it was working and reset the transient cache it should only scan a file once after that.

So even if I knew what Vlk asked me to monitor, essentially it makes no difference, if there was something touching the file/s surely it should be scanned once and no more.

One of the culprits in this is usually the old MS Index Service, but I disabled that many years ago as it is a pain in the rear.

Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: iroc9555 on February 25, 2012, 01:36:11 AM
Well I got my first automatic vps update ( 120224-2 ). My FSS is reaching 200 thou by now.

The Connection not established related to the cloud services for the streaming updates. Your normal VPS updates would be unaffected by this as far as I'm aware.

Ok thank you. I wanted to be sure. Will wait for a streaming update and see if the con is stablished, and as I said i got my first VPS.

If there are no streaming updates that shouldn't trigger a transient cache reset, as I mentioned before; so there would be little reason then for the subsequent scans of an individual file. Even if it was working and reset the transient cache it should only scan a file once after that.

That is the million dollar, in your case pounds or euros, question. What is making FSS to behave like that ?

So even if I knew what Vlk asked me to monitor, essentially it makes no difference, if there was something touching the file/s surely it should be scanned once and no more.

I know you do not because you asked Vlk what to look for. I was also asking him what to look for . If something is touching the files and they should be scanned once anyway then why is/are it/they being scanned again and again ? Well I suppose that is the question....
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: bollity on February 25, 2012, 01:57:08 AM
The same problem here.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 02:01:02 AM
What OS are you using, as both of us are using XP Pro ?

Though it does seem your is somewhat less active, mine now at 48,014/0
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Solemn on February 25, 2012, 09:36:58 AM
Not sure if this is too off-topic as I don't have enough information to back it up yet, but I too appear to experiencing this on all my Windows XP systems (32-bit) (unsure if Windows 7 x64 one is affected yet).

I noticed the AvastSvc.exe process getting high in memory consumption & cpu usage during a routine Malwarebytes Antimalware scan.  It also sticks around after it's done and may periodically pop-up in heavy usage again if something is opened.  This hasn't happened before the upgrade and appears to have made everything generally sluggish.  Scan times for MBAM increased about 40%-50% longer (as well as a 30-40% longer avast quick scan time) [mind you these rigs are rather old].

I do also have filerep and streaming updates on, and have similarly seen a spike in File Shield scanned items (20,000 items higher than usual at the moment).  Will keep a watch on any developments with this.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Asyn on February 25, 2012, 09:55:47 AM
What OS are you using, as both of us are using XP Pro ?

Just had a look, no problems here.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Tetsuo on February 25, 2012, 02:36:47 PM
Sorry if you have already clarified this but during the "FSS constant scan" what's the behavior of the tray icon? is it spinning?
I'm asking because I have to check my father's laptop (XP Pro SP3).
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DJBone on February 25, 2012, 02:52:32 PM
What OS are you using, as both of us are using XP Pro ?
I have the same problem on my WinXP Home SP3 Laptop. FSS scans the  same file (the UI of my WLAN driver) again and again...

DJBone
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 03:33:04 PM
Sorry if you have already clarified this but during the "FSS constant scan" what's the behavior of the tray icon? is it spinning?
I'm asking because I have to check my father's laptop (XP Pro SP3).

I didn't see any appreciably CPU activity or constant rotation of the avast tray icon (you might just see a single rotation for each blip). It is just a constant drip, drip, drip, as the scanned count constantly creeps up. Now as 13694/0 14037/0 whilst just posting this. My system has only been up for about 90 minutes.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: iroc9555 on February 25, 2012, 03:53:44 PM
After excluding a dozen processes or so from FSS and including them to Behavior shield:

C:\Archivos de programa\Creative\VoiceCenter\AndreaVC.exe
C:\Archivos de programa\Digital Line Detect\DLG.EXE
C:\Archivos de programa\HP\Digital Imaging\bin\hpqste08.exe
C:\Archivos de programa\Logitech\Logitech WebCam Software\LWS.exe
C:\Archivos de programa\Intel\Intel Matrix Storage Manager\IAANTMON.EXE
C:\Archivos de programa\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Archivos de programa\TrippLite\PowerAlert\console\pastatus.exe
C:\Archivos de programa\TrippLite\PowerAlert\engine\pal.exe
C:\Archivos de programa\UPHClean\uphclean.exe

C:\Archivos de programa\Archivos comunes\Creative Labs Shared\Service\CREATIVELICENSING.EXE
C:\Archivos de programa\Archivos comunes\LogiShrd\LQCVFX\COCIMANAGER.EXE
C:\Archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPRCSRV.EXE

C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001.dir.0000
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001.dir.0000\~df394b.tmp
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001.dir.0000\~efe2.tmp

C:\WINDOWS\STSYSTRA.EXE

C:\WINDOWS\system32\CTMBHA.dll
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\SYSTEM32\DLA\DLACTRLW.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE

 I got stuck with

C:\Documents and Settings\Hernan \Local configuration\Temp\clclean.0001.dir.0000

Did not want to go away. However; This morning fooling around with the Clound Services and streaming updates, I disabled it rebooted and enabled it again and rebooted. Did not get connection stablished or the folder for the steaming updates in Avast! def file that I was expecting to accomplish with it, but I got FSS to work the right way ;D. Avast! icon is not spinning like crazy any more and last file scanned changes accordingly. Now I have to take back all the exclutions in FSS and see what happens.

@ Tetsou

Sorry if you have already clarified this but during the "FSS constant scan" what's the behavior of the tray icon? is it spinning?
I'm asking because I have to check my father's laptop (XP Pro SP3).

Yes, The icon is constantly spinning if the comp is at idle. You can also check your CPU for spikes. Mine was all the time jumpping to 40% o 60% when normally it did not pass 15%. Also take a look at your FSS. See my screenshots. One is FSS working like crazy the other is FSS working like it is supposed to. Guess which is which ?

@ DavidR

I had some cpu spikes as explain above
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: bob3160 on February 25, 2012, 03:57:53 PM
Almost looks like a Ccleaner temp file (Undo file) that's being scanned.
I don't have the problem but don't have Ccleaner installed either.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 04:01:47 PM
Quote from: iroc9555
@ DavidR

I had some cpu spikes as explain above

Yes, but my instance isn't anywhere near as severe as yours was, so my CPU wasn't an issue and the tray icon as mentioned would generally rotate once.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Tetsuo on February 25, 2012, 04:12:36 PM
mmmh... thanks for the info, guys.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: iroc9555 on February 25, 2012, 04:43:55 PM
@ Bob

Almost looks like a Ccleaner temp file (Undo file) that's being scanned.
I don't have the problem but don't have Ccleaner installed either.

Thank you for your idea, but no, it is not a CCleaner file. It is a file for SoundBlaster Audigy integrated audio.

Well I started to delete files from FSS exclusion list and it did not work. Avast is back like crazy scanning all those files again and again.  >:(
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Gopher John on February 25, 2012, 05:02:52 PM
Sorry if you have already clarified this but during the "FSS constant scan" what's the behavior of the tray icon? is it spinning?
I'm asking because I have to check my father's laptop (XP Pro SP3).

I didn't see any appreciably CPU activity or constant rotation of the avast tray icon (you might just see a single rotation for each blip). It is just a constant drip, drip, drip, as the scanned count constantly creeps up. Now as 13694/0 14037/0 whilst just posting this. My system has only been up for about 90 minutes.

My system has been up a little over 2.5 hours and the FSS shows 2130/0.  I have *\firefox\profiles\*sessionstore*.js as an exclusion on write ( due to a recommendation from someone ).  You might see if that will help.  At the time I entered that exclusion in the distant past, it did help a particular situation but it might not even be necessary now.  The sad thing is that I don't remember the details, now.

I don't have WinPatrol installed.  Is it possible that it is touching some file and triggering the FSS on it?  I'm not familiar with that program, just that it is highly recommended by many.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 05:16:28 PM
The other thing is that many of the files that are being scanned, shouldn't be being scanned in any case under the default FSS settings.

Take some of those listed by iroc9555:
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001.dir.0000
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001.dir.0000\~df394b.tmp
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001.dir.0000\~efe2.tmp

These aren't executables or dlls, so why the FSS shield would be even scanning them outside of the issue being covered here, is beyond me.

I have seen several such files being scanned that aren't .exe or .dll, etc.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 05:19:59 PM
<snip quotes>
My system has been up a little over 2.5 hours and the FSS shows 2130/0.  I have *\firefox\profiles\*sessionstore*.js as an exclusion on write ( due to a recommendation from someone ).  You might see if that will help.  At the time I entered that exclusion in the distant past, it did help a particular situation but it might not even be necessary now.  The sad thing is that I don't remember the details, now.

I don't have WinPatrol installed.  Is it possible that it is touching some file and triggering the FSS on it?  I'm not familiar with that program, just that it is highly recommended by many.

I have had the *\firefox\profiles\*sessionstore*.js exclusions for absolutely ages, in fact I believe it is now a default exclusion.

WinPatrol link avast is meant to be on-access so something would have to make a system change, etc. for it do reach out to check.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: reesd on February 25, 2012, 05:31:25 PM
I am seeing the same thing on XP as I reported at http://forum.avast.com/index.php?topic=94168.msg749722.

I am seeing processlasso.exe every second, and  am seeing KiwiLogViewer.exe and notepad++.exe every few seconds.

d
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 07:21:16 PM
Update:

I appear to have many, more files in this repetitive scan cycle.

Switched OK files on in the FSS Report file settings, Stopped FSS to enable changed setting, Started FSS. Left on for 3 minutes, unchecked the OK files in the Report file, Stop and Start FSS. In that 3 and a bit minutes over 900 files were scanned.

Quote from: Extract of FileSystemShield.txt
25/02/2012 17:54:31   C:\PROGRAM FILES\ROCKETDOCK\ROCKETDOCK.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\LOGITECH\SETPOINT\SETPOINT.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\LOGITECH\SETPOINT\SETPOINT.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\JAVA\JRE7\BIN\JQS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\JAVA\JRE7\BIN\JQS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\POWERQUEST\DRIVE IMAGE 7.0\AGENT\PQV2ISVC.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\POWERQUEST\DRIVE IMAGE 7.0\AGENT\PQV2ISVC.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\CAPS LOCK CHANGER\CAPS_LOCK_CHANGER.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\CAPS LOCK CHANGER\CAPS_LOCK_CHANGER.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\BELKIN BULLDOG PLUS\MUPS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGIT32.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGIT32.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\TSCHELP.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\TSCHELP.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGPRIV.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGPRIV.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGITEDITOR.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGITEDITOR.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\JGSOFT\EDITPADLITE\EDITPADLITE7.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\JGSOFT\EDITPADLITE\EDITPADLITE7.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\7-ZIP\7ZFM.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\7-ZIP\7ZFM.EXE  is OK
25/02/2012 17:54:33   C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQSmeCOM.dll  is OK
25/02/2012 17:54:33   C:\Program Files\PowerQuest\Drive Image 7.0\Agent\gwlangEN.dll  is OK
25/02/2012 17:54:34   C:\WINDOWS\system32\gearaspi.dll  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\ROCKETDOCK\ROCKETDOCK.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\LOGITECH\SETPOINT\SETPOINT.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\LOGITECH\SETPOINT\SETPOINT.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\JAVA\JRE7\BIN\JQS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\JAVA\JRE7\BIN\JQS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\POWERQUEST\DRIVE IMAGE 7.0\AGENT\PQV2ISVC.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\POWERQUEST\DRIVE IMAGE 7.0\AGENT\PQV2ISVC.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\CAPS LOCK CHANGER\CAPS_LOCK_CHANGER.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\CAPS LOCK CHANGER\CAPS_LOCK_CHANGER.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\BELKIN BULLDOG PLUS\MUPS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGIT32.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGIT32.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\TSCHELP.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\TSCHELP.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGPRIV.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGPRIV.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGITEDITOR.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGITEDITOR.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\JGSOFT\EDITPADLITE\EDITPADLITE7.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\JGSOFT\EDITPADLITE\EDITPADLITE7.EXE  is OK
25/02/2012 17:54:42   C:\PROGRAM FILES\7-ZIP\7ZFM.EXE  is OK
25/02/2012 17:54:42   C:\PROGRAM FILES\7-ZIP\7ZFM.EXE  is OK

I'm far from happy as this was never how it was, and there really shouldn't be a need for a user to go to these lengths, analysis & exclusion of tens of files. When the Transient cache is meant to cater for this repetitive scanning of the same file, until the user reboots, a virus definitions update or the file actually changes.

So it is broken, I can think of no other words to better describe is not working as it should.

For me most of these files although loaded would be pretty dormant.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: spg SCOTT on February 25, 2012, 07:34:15 PM
David, I think I have managed to replicate this to some extent.

I think there is a settings within FSS settings that causes this. I turned them all pretty much all the way up on every page and I saw what you saw in the report file.

I will test further, to see if I can pin down which one it is.

A small portion of what I see...
Code: [Select]
25/02/2012 18:28:30 C:\Program Files\Rainmeter\Rainmeter.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files\Rainmeter\Rainmeter.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll [+] is OK
25/02/2012 18:28:30 C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [+] is OK
25/02/2012 18:28:33 C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [+] is OK
25/02/2012 18:28:33 C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [+] is OK
etc.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 07:37:54 PM
Which setting is it (I had a look and didn't see anything obvious) and I can play with it too, as there is no way I'm going to manually add all of these to the FSS Exclusions.

It still doesn't account for why the Transient cache isn't doing what is intended.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: spg SCOTT on February 25, 2012, 07:40:42 PM
Ok,

I changed a lot initially, had to narrow it down to one...

David, (and others) do you have this checked:

avast -> Real Time Shields -> File System Shield -> Expert Settings -> Scan when opening -> "Scan all files"

I found when this is checked, I see what you see.

Not sure what it implies at the moment, or why this happens.

I guess we still need more info from avast on what is really going on.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Asyn on February 25, 2012, 07:42:57 PM
avast -> Real Time Shields -> File System Shield -> Expert Settings -> Scan when opening -> "Scan all files"

It's unchecked here and I've no problems.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 07:47:56 PM
Its unchecked here and always has been as it is a default action and I know the impact that this could have on scanning.

God help my system if I had that enabled as it wouldn't just be being repetitive on .exe, .dll, .js and a couple of other file types.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Dch48 on February 25, 2012, 07:50:59 PM
I examined the behavior on my XP system and I don't see anything different from the way it acts on Win 7. There is no unusual FSS activity as far as I can see.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: spg SCOTT on February 25, 2012, 07:51:17 PM
avast -> Real Time Shields -> File System Shield -> Expert Settings -> Scan when opening -> "Scan all files"

It's unchecked here and I've no problems.
It was here, and I changed it to see. That setting caused the repetitve scanning that others saw, but I guess that is not the issue that others are seeing...


Its unchecked here and always has been as it is a default action and I know the impact that this could have on scanning.

God help my system if I had that enabled as it wouldn't just be being repetitive on .exe, .dll, .js and a couple of other file types.
Ok then. I guess it was worth a look.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 07:55:22 PM
Yes, it would be nice if Vlk rejoined the party, having made a fleeting visit, suggested using ProcMon and left the building.

If only we knew what to monitor.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Asyn on February 25, 2012, 07:58:34 PM
If only we knew what to monitor.

Yes, he was a bit vague. :-\
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Charyb on February 25, 2012, 07:58:51 PM
David,
Will you please attach a copy of your FileSystemShield.ini file? You will have to change it to text.
I would like to compare it to mine. I have attached mine if you would like to view it.
The only changes I have made is in the actions for all 3- virus, PUP, suspicious.
1.ask
2.move to chest
3.no action
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: ady4um on February 25, 2012, 08:02:50 PM
I don't have this issue of repetitive scans. Would comparing settings be useful?
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Charyb on February 25, 2012, 08:09:27 PM
I don't know. I was just wanting to take a look. To me, it is a bug that is impossible to fix by a user.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Dch48 on February 25, 2012, 08:14:00 PM
I don't have the issue at all in XP Pro. I'll attach my .ini if that could be useful. I have to find it first though and I'm having a problem with that.  Okay I found it using the Everything search utility.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Charyb on February 25, 2012, 08:18:08 PM
My system is operating as expected. I was wanting to see the .ini file of a faulting system.

Thanks, Dch48.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: spg SCOTT on February 25, 2012, 08:22:22 PM
If only we knew what to monitor.

Yes, he was a bit vague. :-\

I thought about monitoring one of the affected processes, or the path.

I found if the path to winpatrol was monitored, you see that Explorer accesses it approx. every 30 seconds.
If the process is specified as winpatrol there is a lot more to see...(A common occurance was "Process Profiling" - not sure what that means...)

Not sure if that is the right thing to monitor though...there is a lot to sort through...

Charyb,

Your ini file is much smaller than mine...there are some entries not present...not sure why. (and I don't experience the issue) I am not sure if this will be helpful.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 08:23:31 PM
In all honesty there is very little in the filesystemshield.ini file and virtually all of my settings are the defaults.

I had increased my sensitivity to High and have had that for ages and in the earlier beta builds without this problem. I first backed that off to the default, Normal and then to Low, neither of which made any difference.

Then the only differences would be what exclusions I have entered, but they shouldn't impact/increase the scan frequency (repetitive nature) of the scanning.

However, looking at yours, it bears no resemblance to mine at all, but the ones that you have I have and are pretty much the same. But I have lots more. So I don't know if it has inherited some of my old avast6 settings.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Charyb on February 25, 2012, 08:26:18 PM
I have windows 7 64bit.

I have Dch48's which he says is working correctly. xp3
Just need one that is not working correctly. xp3

It may not show anything but it makes me feel like I contributed.  ;D

I don't see any huge difference between Dch48's and David's. Sensitivity is different, actions are different, the order of the settings is different...
Many of the main shield settings are the same though.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 08:37:26 PM
Update:
To take the filesystemshield.ini totally out of the equation, I disabled the self-defence module, stopped the file system shield and deleted the filesystemshield.ini file. Restarting the file system shield recreates the filesystemshield.ini.

So now it is very basic, on, see image1 and it continues to chomp away like pacman scanning files 813, since starting the FSS, but that appears to be a somewhat slower than before.

Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Charyb on February 25, 2012, 08:39:15 PM
Has anyone tried a repair?
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 08:44:58 PM
No, not sure what there is to repair, as that is generally to repair corruption.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: spg SCOTT on February 25, 2012, 08:45:46 PM
I didn't think that the ini would be useful, since it is just holding the settings. I didn't see much difference between mine and yours anyway David. I think the other parts of the ini get recreated when you go into the settings and change something.

Anyway, I guess that this is OT...

Since Vlk mentioned something "touching" the files, could it be related to another resident scanning software?
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Charyb on February 25, 2012, 09:26:00 PM
What happens when you go into msconfig and select diagnostic startup? Then restart. This would prevent many things from starting that may conflict. May narrow something down. Couldn't hurt.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 10:15:57 PM
Yes, the shield defaults aren't included in the .ini file, only when the defaults are changed do they get entered into the .ini file.

The thing is I have had the resident MBAM disabled for over a day to ensure that it isn't it. To the same degree as avast, there would have to have been activity on that file for MBAM to want to get involved.

That still doesn't get around what is probably the most important side issue, why isn't the Transient cache working. That should be stopping all of this repetitive scanning dead in its tracks. Some of these files were scanned 4-10 times in a second.

No way we get that many updates, either regular or streaming updates to reset the transient cache.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 10:19:42 PM
What happens when you go into msconfig and select diagnostic startup? Then restart. This would prevent many things from starting that may conflict. May narrow something down. Couldn't hurt.

Nothing on my system has changed since or just before avast7 final, and none of these problems existed on my system during the beta testing.

I run a tight ship, very little is allowed to start on boot unless essential.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Asyn on February 25, 2012, 10:21:48 PM
Dave, not sure, if you want to try this...
Disable Outpost, better now..?
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: iroc9555 on February 25, 2012, 10:35:20 PM
If someone care to look at it. Just a couple of secs.

Code: [Select]
25/02/2012 13:28:45 C:\WINDOWS\system32\CTMBHA.DLL [+] is OK
25/02/2012 13:28:45 C:\Archivos de programa\Intel\Intel Matrix Storage Manager\IAAnotif.exe [+] is OK
25/02/2012 13:28:45 C:\Archivos de programa\Intel\Intel Matrix Storage Manager\IAAnotif.exe [+] is OK
25/02/2012 13:28:45 C:\Archivos de programa\Intel\Intel Matrix Storage Manager\IAAnotif.exe [+] is OK
25/02/2012 13:28:45 C:\Archivos de programa\Intel\Intel Matrix Storage Manager\IAAnotif.exe [+] is OK
25/02/2012 13:28:45 C:\WINDOWS\system32\DLA\DLACTRLW.EXE [+] is OK
25/02/2012 13:28:45 C:\WINDOWS\system32\DLA\DLACTRLW.EXE [+] is OK
25/02/2012 13:28:45 C:\WINDOWS\system32\DLA\DLACTRLW.EXE [+] is OK
25/02/2012 13:28:45 C:\WINDOWS\system32\DLA\DLACTRLW.EXE [+] is OK
25/02/2012 13:28:45 C:\Archivos de programa\Creative\SBAudigy\Surround Mixer\CTSysVol.exe [+] is OK
25/02/2012 13:28:45 C:\Archivos de programa\Creative\SBAudigy\Surround Mixer\CTSysVol.exe [+] is OK
25/02/2012 13:28:45 C:\Archivos de programa\Creative\SBAudigy\Surround Mixer\CTSysVol.exe [+] is OK
25/02/2012 13:28:45 C:\Archivos de programa\Creative\SBAudigy\Surround Mixer\CTSysVol.exe [+] is OK
25/02/2012 13:28:45 C:\WINDOWS\Ctregrun.exe [+] is OK
25/02/2012 13:28:45 C:\WINDOWS\Ctregrun.exe [+] is OK
25/02/2012 13:28:45 C:\WINDOWS\Ctregrun.exe [+] is OK
25/02/2012 13:28:45 C:\WINDOWS\Ctregrun.exe [+] is OK
25/02/2012 13:28:45 C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001 [+] is OK
25/02/2012 13:28:45 C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001 [+] is OK
25/02/2012 13:28:45 C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001 [+] is OK
25/02/2012 13:28:45 C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001 [+] is OK
25/02/2012 13:28:45 C:\Archivos de programa\Logitech\Logitech WebCam Software\LWS.exe [+] is OK
25/02/2012 13:28:46 C:\Archivos de programa\Logitech\Logitech WebCam Software\LWS.exe [+] is OK
25/02/2012 13:28:46 C:\Archivos de programa\Logitech\Logitech WebCam Software\LWS.exe [+] is OK
25/02/2012 13:28:46 C:\Archivos de programa\Logitech\Logitech WebCam Software\LWS.exe [+] is OK
25/02/2012 13:28:46 C:\WINDOWS\system32\nwiz.exe [+] is OK
25/02/2012 13:28:46 C:\WINDOWS\system32\nwiz.exe [+] is OK
25/02/2012 13:28:46 C:\WINDOWS\system32\nwiz.exe [+] is OK
25/02/2012 13:28:46 C:\WINDOWS\system32\nwiz.exe [+] is OK
25/02/2012 13:28:46 C:\WINDOWS\system32\nvmctray.dll [+] is OK
25/02/2012 13:28:46 C:\WINDOWS\MIDIDEF.EXE [+] is OK
25/02/2012 13:28:46 C:\WINDOWS\MIDIDEF.EXE [+] is OK
25/02/2012 13:28:46 C:\WINDOWS\MIDIDEF.EXE [+] is OK
25/02/2012 13:28:46 C:\WINDOWS\MIDIDEF.EXE [+] is OK
25/02/2012 13:28:46 C:\Archivos de programa\Digital Line Detect\DLG.exe [+] is OK
25/02/2012 13:28:46 C:\Archivos de programa\Digital Line Detect\DLG.exe [+] is OK
25/02/2012 13:28:46 C:\Archivos de programa\Digital Line Detect\DLG.exe [+] is OK
25/02/2012 13:28:46 C:\Archivos de programa\Digital Line Detect\DLG.exe [+] is OK
25/02/2012 13:28:46 C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe [+] is OK
25/02/2012 13:28:46 C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe [+] is OK


That was before I excluded all the files mention in one of my post in this thread. Still  Temp\clclean.0001 is being scanned again and again.

I haven't had one streaming update ever so you are right DavidR, and There have not been that many vps regular updates ( Just 2 today )  to reset the transient cache.

Also attached is my FSS .ini if someone care to look at it, but my FSS have not been touched.

I just hope that Avast! Team who has been very quite about this problem is working a solution.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: iroc9555 on February 25, 2012, 10:40:15 PM
@ Asyn

I reinstalled Avast! and ran it with WP, CIS, MBAM, and HP disabled and still Avast! did not stop scanning the same files.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 10:41:50 PM
Dave, not sure, if you want to try this...
Disable Outpost, better now..?

Guys I really am done clutching at straws: outpost is unchanged (I haven't updated to the recent 7.5.2 program update) and I don't have the anti-spyware or other modules installed; my system essentially hasn't changed; this never happened during the whole beta testing; the only change has been avast7 release.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Charyb on February 25, 2012, 10:48:41 PM
It's futile! I hope they release a new update soon. I would imagine they are working overtime to fix some of these problems. It would be nice to have a fix this weekend. I wonder if the push updates are discontinued for now?
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 25, 2012, 11:22:02 PM
It would be nice to get an acknowledgement that A) they are aware of it, B) have replicated it, C) are working on a fix or D) tell us what else we can do to help.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Charyb on February 25, 2012, 11:38:09 PM
E. All of the above
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Joseph Collins on February 26, 2012, 09:21:14 AM
Lazy copy-and-paste from my topic:
Greetings.  I have an issue that has been reported already (http://forum.avast.com/index.php?topic=94010.msg748378#msg748378), but largely disregarded as "user error".

Basically, since upgrading to avast! v7, the program locked on to, and repeatedly, redundantly scanned a single file.  This file, "RaUI.EXE", gets scanned twice per second, pointlessly skyrocketing the "File System Shield" counter.  The program itself is the Rosewill Wireless LAN Card user interface program and is perfectly safe.  The program comes standard with a number of Rosewill wireless network cards and USB dongles and runs from startup to shutdown because it constantly monitors the networking hardware. (It's actually an optional program when you get right down to brass tacks, but it has a lot of useful information about one's wireless connection.)

The problem started in avast! v7 and was did not happen prior to this.  avast! reports no problem with the file, as it shouldn't, but keeps scanning it as if it's opening and closing over and over again, which is isn't.  The only work-around for this problem is to track down the file and exclude its directory or the file itself (generally "C:\Program Files\Rosewill\Common\*" or "C:\Program Files\Rosewill\Common\RaUI.exe" respectively) from the scan:

[how to add exclusions to the shields]

Thank you for your time.
What I neglected to mention was that I'm also running Windows XP 32-bit with Service Pack 3.  I've also never had a problem with avast! prior to this.  I sincerely hope this topic gets some notice by the appropriate people.  I really like avast! and have since v4, when it found viruses on my old machine that AVG did not.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: igor on February 27, 2012, 01:12:38 AM
How about now, any improvement?
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 27, 2012, 01:29:02 AM
I honestly don't know, was something done with the engines, FSS sensitivity/exclusions or Transient cache ?

The reason I say I don't know as I have had to enter over 30 FSS exclusions just to keep it to within reasonable parameters. I even had to give these RWX as RW wasn't enough for the repetitive scans to stop and the files most certainly weren't executed.

But there are currently only 1360 scanned for this session,  about 12 hours on and about 3-4 hours intermittent use mainly on the forum.

EDIT: I have unchecked the X in the exclusions to see if that cranks up the volume again and stopped and restarted FSS.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: MikeBCda on February 27, 2012, 01:56:11 AM
Only tangentially related ... I did my first full system scan today since the update, and that took about 3x as long as usual.  Looks like the persistent cache was deleted, or at least cleared, and needed re-populated from scratch.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 27, 2012, 01:59:35 AM
Sorry but that is unrelated as there is no way you can compare on-demand scans with on-access ones.

yes if you did a clean install the Persistent cache would be gone and possibly reset on a program update, so it will take a few scans before it returns to similar durations.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: mchain on February 27, 2012, 05:33:28 AM
I honestly don't know, was something done with the engines, FSS sensitivity/exclusions or Transient cache ?

The reason I say I don't know as I have had to enter over 30 FSS exclusions just to keep it to within reasonable parameters. I even had to give these RWX as RW wasn't enough for the repetitive scans to stop and the files most certainly weren't executed.

But there are currently only 1360 scanned for this session,  about 12 hours on and about 3-4 hours intermittent use mainly on the forum.

EDIT: I have unchecked the X in the exclusions to see if that cranks up the volume again and stopped and restarted FSS.

@DavidR,

How are getting on now?

Been fortunate in that none of the above problems have occurred on my system.  And this was with a simple upgrade, not a clean uninstall/install.

See attached.

Maybe if I were to publish the .ini file, you might see something there?

Let me know.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Tetsuo on February 27, 2012, 12:56:49 PM
@mchain, the problem until now seems only related to some XP PRO SP3 systems. I assume you are running XP Home Edition SP3.

At least, I don't remember users reporting this issue for Vista/W7...
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 27, 2012, 02:44:58 PM
@ mchain
I don't believe that the .ini file would reveal much, as the previous ones attached showed little difference between. Looking at your figures then look reasonable balanced when compared with the web shield and network shield.

The problem as outlined I believe are/were more related to a problem in the transient cache and not so much the filesystemshield.ini setting, unless of course the user set it to scan all files.

@ Tetsuo
Yes as has been mentioned it is mostly seen in XP Systems.

UPDATE: For Igor and others with the problem
As I mentioned in Reply #62 above in response to Igor's comment "How about now, any improvement?" I have modified my exclusions to see if that reproduces the problem.

Yesterday there were 5 VPS/engine updates, so it may be that one or more of these were engine updates and changed the way that the transient cache and FSS work together, I don't know. However, the current status is that the repetitive scanning appears to have stopped, e.g. the transient cache function appears to be working now.

####
So for those with the problem, I suggest you reset the last scanned count, so as to see how it is working now and monitor over an hour or two. To reset the counts, Stop the FSS (self-defence module will seek confirmation) and immediately Start it again, the counts will be at 0/0.

@@@@
One thing that I have noticed (whilst I had the Report File set to record OK files), if I use the XP Quick Launch toolbar and open just one application, avast's FSS scans All quick start links (.lnk)

Code: [Select]
27/02/2012 11:09:42 C:\Documents and Settings\UserName\Recent\FileSystemShield.txt.lnk [+] is OK
27/02/2012 11:09:42 C:\Documents and Settings\UserName\Recent\report.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\OEQuoteFix (Non Admin).lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware Professional.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\NTREGOPT.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\SpeedyFox.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer (Non Admin).lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\ImgBurn.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Bullzip PDF Printer.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\ThreatExpert Memory Scanner.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Event Viewer.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\BT Broadband Desktop Help.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\BT Broadband Life.LNK [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\BT Yahoo! Online.LNK [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\BT Hub Manager.LNK [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\avast! SecureConnect.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Quicken Deluxe 98.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\vscan_start.bat.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Normal.dot.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\backup8gb.bat.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\databackup.bat.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\backup.bat.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Excel.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\MailWasher (Non Admin).lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Firefox (Non Admin).lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop iCalendar Lite.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\z Avast5_ForumVirusGen.txt.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Explorer E Data.lnk [+] is OK
27/02/2012 11:09:50 C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Thunderbird (non-admin).lnk [+] is OK


So it would appear that some things have changed in yesterdays updates as currently the FSS files scanned count is 124/0.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: iroc9555 on February 27, 2012, 03:22:21 PM
Igor and DavidR.

I must admit that I went back to A 6, but after reading Igor's post this morning I proceeded to install A7 again. First I tried thru internal updater but it failed. It just stopped at step 1 " Saving Package" . I had to do a clean install of V 7. WoW no more analyzing the same file. I also rebooted a couple of time to make sure. All settings as default. I have not changed anything. By my third reboot I noticed that a new version is available 7.0.1409. I tried to update thru Avast again but I got a Server error unreachable. Also I tried to add English to my Spanish installment but can't download package  :(

DavidR I stopped FSS and started it again 0/0 right now. I'll keep and eye or two see what happens.

What's with the servers ? Not able to reach then. Are they down ?

Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 27, 2012, 03:27:06 PM
For me I was a little more stubborn and wanting to try and track down the problem as several people were experiencing it.

Which servers, there are hundreds ?
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: iroc9555 on February 27, 2012, 03:50:28 PM

Which servers, there are hundreds ?

Did not say, or did not paid attention. I'll see again if it happens.

My count for FSS 230/0.

For me I was a little more stubborn and wanting to try and track down the problem as several people were experiencing it.


It would be nice if Igor would report back with an explanation about it.

Thanks DavidR
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 27, 2012, 03:53:39 PM
You're welcome.

I now assume that this from the avastUI and you were trying a manual program update ?
If so it may be a while whilst they are repopulated with the 7.0.1409 version, I just tried a manual update and it started but didn't progress, so I cancelled it.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: iroc9555 on February 27, 2012, 04:04:26 PM
Yes me too. I am going to wait a little. BTW I still do not have any stream update. I mean, looking at your screenshot, I still do not have any of those folders.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DJBone on February 27, 2012, 04:21:58 PM
For me, the problem is gone on my WinXP Home SP3 Laptop :)

DJBone
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Tetsuo on February 27, 2012, 07:03:38 PM
By my third reboot I noticed that a new version is available 7.0.1409. I tried to update thru Avast again but I got a Server error unreachable. Also I tried to add English to my Spanish installment but can't download package  :(

You may be interested in this thread: http://forum.avast.com/index.php?topic=94454.0

Unfortunately there's also a brand new problem a problem caused by a bogus definition file (see VLK's posts).

Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: iroc9555 on February 28, 2012, 12:47:33 AM
@ Tetsuo

Yes, I could not reach the servers because Avast! was fixing that corrupted vps for the 26 th. Still I have not had a straight answer why I had in my Avast! IU v. 7.0.1409. BTW when servers were enabled, I tried to update the program and the correct v. now shows in my Avast!IU.

@ DavidR and all XP pro user with the FSS hiperactivity problem.

All day working with Word, Excel, notepad, and web. My Fss count is 1127 files.  ;D Thanks Avast!, and still waiting for some thecnical explanation to us inquisitve minds  8). Was it the transient memory as DavdR suspected or something else ? Why only Xp Pro ?

Thanks again.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: Vlk on February 28, 2012, 02:25:00 AM
Yes it was a problem related to the transient cache feature.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: iroc9555 on February 28, 2012, 02:40:22 AM
Thanks Vlk

You still up. Hard work this version, doesn't it.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: reesd on February 29, 2012, 01:57:55 AM
I just found out that 7 scanned the same, unchanged executable 5000 times in 2 days. No wonder things seem sluggish...
http://forum.avast.com/index.php?topic=94621

d
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 29, 2012, 02:55:34 AM
I have replied in your other topic, this for me has certainly been resolved.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: reesd on February 29, 2012, 03:10:06 PM
Thanks DavidR. I dug through this thread before posting and didn't see it had been resolved. I think I must have missed it in the thread because it was done through a VPS update and I was looking for an EXE update.

I'm now at 928 in 12 hours with a reboot, so I think that is much better. I haven't turned off any of my new exclusions yet.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 29, 2012, 03:16:11 PM
No problem.

I found when I unchecked the X (execute) box the files were scanned but only ones as they should, the transient cache now seems to be doing its job.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: reesd on February 29, 2012, 03:24:20 PM
No problem.

I found when I unchecked the X (execute) box the files were scanned but only ones as they should, the transient cache now seems to be doing its job.
Very interesting that definition files tweak that. A little worrying also since they change so often...

You know what I would really like, is a little more info in the log. At the very least if it was a R, W, or X so I know what I need to exclude.
And an option to list exclude/transient/persistent ignores also would be good, so we can everything avast wanted to look at, but skipped for one of those three reasons.

The two combined would really help us trim/tweak exclusions and also give better feedback in threads like these.

d
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 29, 2012, 03:54:38 PM
The report file settings can be modified in the expert settings of the file shield. Beware of what you ask for as the log file would become massive and not particularly user friendly.

Simply adding OK files to the list of data included in the report file, will create a line entry for every file scanned and that could be a huge amount of data, even in a day.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: reesd on February 29, 2012, 03:59:51 PM
You know what I would really like, is a little more info in the log. At the very least if it was a R, W, or X so I know what I need to exclude.
And an option to list exclude/transient/persistent ignores also would be good, so we can everything avast wanted to look at, but skipped for one of those three reasons.

The two combined would really help us trim/tweak exclusions and also give better feedback in threads like these.
The report file settings can be modified in the expert settings of the file shield. Beware of what you ask for as the log file would become massive and not particularly user friendly.

Simply adding OK files to the list of data included in the report file, will create a line entry for every file scanned and that could be a huge amount of data, even in a day.

I am VERY familiar with those settings. I actually have it on OK all the time, that is how I catch these to many scan situations like this. It doesn't really grow that large when its working well.

However, it doesn't provide any of the options I listed. It only provides OK for non-skipped files (non-excluded/transient/persistent) and doesn't indicate if they were scanned for R, W, or X.

d
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: DavidR on February 29, 2012, 04:33:57 PM
For the most part files won't be scanned when read, only when written (either created or modified) or eXecuted, so the file type is likely to give a clue as to as to why the file might have been scanned.

One other problem is that some applications that actually access files do so at an elevated level, e.g. when they access the file they do so with writ privileges rather than read and that in itself forces avast to scan. So I don't see how the type of access to the file that triggered the scan helps that much unless you can also identify the application accessing the file.

That was the thing that would have been very helpful when this first happened, it was suggested to use ProcMon to see what was touching these files (triggering the scan), but no one said what we should be looking for as the amount of data returned was a snow storm when looking for a snow flake.

But all in all the only thing that needed to be known was the files were repetitively which they shouldn't have been if the Transient scan was working as it should and not what the type of access that triggered the scan.

Personally I'm reluctant to see the logs get even more verbose as for your average user this isn't a benefit. Whilst having the options there wouldn't hurt, just that I'm not sure they would have helped in this particular case.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: supatorutoru on March 18, 2012, 07:37:57 PM
Thanks DavidR. I dug through this thread before posting and didn't see it had been resolved. I think I must have missed it in the thread because it was done through a VPS update and I was looking for an EXE update.
I only check the first page and this one. My program version is 7.0.1426 and I still experience dramatically low performances when the shield is on.

I'm now at 928 in 12 hours with a reboot, so I think that is much better. I haven't turned off any of my new exclusions yet.
I don't even see the point of counting considering the insane scans it keeps doing. I can't even use a LAMP powered application and a P2P client. For the last maybe I should have installed the dedicated shield. Still excluding files, PHP scripts for instance, and disabling scanning for open/write operations didn't change anything. It's like all these features were ignored.
Title: Re: 7.0.1407 - File System Shield activity & FSS exclusions
Post by: reesd on March 20, 2012, 04:49:32 PM
The only shield I have enabled is file, that might help your P2P case.