Author Topic: Boot scan  (Read 17584 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:Boot scan
« Reply #15 on: December 02, 2003, 03:51:48 PM »
ashCmd (the command-line scanner) is really not avaialble in the Home version, it's limited to Professional version only.

As for the other "secret" areas... you may try *STARTUP-SHORT to scan the startup items for the current user (i.e. the modules loaded in memory are not included, unlike *STRT-MEM-SHORT) or *STARTUP that will scan the startup items for all the users (sometimes, it may take a while to load the registry hives for the other users).

How, some un-documented features or secrets are being revealed...  8)
Thanks Igor.

Sorry gtaillandier, I do not realize that you are not using the Profesional version...  :'(
The best things in life are free.

Offline stevejrc

  • Full Member
  • ***
  • Posts: 187
Re:Boot scan
« Reply #16 on: December 02, 2003, 04:22:16 PM »
I added ashavast.exe to startup programs, it loads the (pre-simple interface) splash screen up and scans memory and startup programs once there all started after booting.

I noticed that the screen saver can scan memory block, whilst ashavast.exe only scans programs in memory and startups. The screen saver scan picks up win32:sqlslammer worm in memory block but the  ashavast.exe scan doesnt. So I assume memory block is different to programs in memory.
Steve

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Boot scan
« Reply #17 on: December 02, 2003, 05:14:21 PM »
In avast home, to scan entire memory, including the blocks, you can run

ashQuick.exe "*MEMORY"

That will be equivalent to the scan that the Screen-Saver is doing.


Vlk
If at first you don't succeed, then skydiving's not for you.

Offline stevejrc

  • Full Member
  • ***
  • Posts: 187
Re:Boot scan
« Reply #18 on: December 02, 2003, 07:37:31 PM »
thanks,

So is the following correct, to sum things up: (parameters)

"*STRT-MEM-SHORT"  memory & user startup
"*MEMORY"                memory blocks and memory
"*STARTUP-SHORT"    user startup
"*STARTUP"                all users startup

Can more than one session be used at startup ie "*MEMORY" then "*STARTUP".

I assume user/all user startup scans means all applications, as it appears to scan programs that arent actually started during startup process.

Cheers

I just tryed giving ashquick.exe 2 parameters and it appears to work in one session "*MEMORY" "*STARTUP"       COOL   ;D
« Last Edit: December 02, 2003, 08:02:31 PM by stevejrc »
Steve

Offline gtaillandier

  • Full Member
  • ***
  • Posts: 167
  • I'm a llama!
Re:Boot scan
« Reply #19 on: December 02, 2003, 08:20:08 PM »
When I select "Schedule boot-time scan", the program starts correctly.

I haven't found the entry in Windows Xp registry, can you give me the full key name.

Is it possible to add a parameter such "*STRT-MEM-SHORT" ?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11808
    • AVAST Software
Re:Boot scan
« Reply #20 on: December 02, 2003, 08:35:06 PM »
stevejrc: Yes, I believe you can give ashquick more arguments (separated by commas?).

The STARTUP arguments are scanning all sort of "auto-start" entries. You are right that some of the files may not be automatically started in fact, but it's better to scan more than less. I think these "auto-start" entries also include the "App Paths" key (kind of Windows equivalent of the old DOS PATH environment variable) - that's probably where the non-automatically started apps mostly are. However, I'd rather keep it this way - it's really mostly "autostart" items, or the items that are rather close to "autostart" :)

gtaillandier: I think the boot-time scanner does not support these "special" areas (unlike ashquick) - as Technical already explained, IIRC.

Offline stevejrc

  • Full Member
  • ***
  • Posts: 187
Re:Boot scan
« Reply #21 on: December 03, 2003, 01:42:59 AM »
thanks,

My startup shortcut reads as follows without commas and works fine. I checked the items scanned and it was correct.

<avast folder>\ashQuick.exe" "*MEMORY" "*STARTUP"

This is cool, I also setup 3 desktop icons one same as above, one with "*MEMORY" and another "*STARTUP".

I believe most AV's dont offer memory block scanning, only programs in memory. AVAST does!!! which is cool, thats where the sqlslammer worm was found. And AVAST is just as quick as Panda was at scanning even on thorough scan and Panda never found sqlslammer (no block scan).

I recommend using the above in startup folder. ;D maybe a possible option in future versions?
Steve

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:Boot scan
« Reply #22 on: December 03, 2003, 02:00:28 AM »
My startup shortcut reads as follows without commas and works fine. I checked the items scanned and it was correct.
<avast folder>\ashQuick.exe" "*MEMORY" "*STARTUP"
This is cool, I also setup 3 desktop icons one same as above, one with "*MEMORY" and another "*STARTUP".
I believe most AV's dont offer memory block scanning, only programs in memory. AVAST does!!! which is cool, thats where the sqlslammer worm was found. And AVAST is just as quick as Panda was at scanning even on thorough scan and Panda never found sqlslammer (no block scan).

Wellcome to avast!  ;)

I recommend using the above in startup folder. ;D maybe a possible option in future versions?

Please, why don´t you post this suggestion at the WISHLIST?  ;)
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11808
    • AVAST Software
Re:Boot scan
« Reply #23 on: December 08, 2003, 10:03:31 AM »
One important thing I should say:

Replacing *STRT-MEM-SHORT by *MEMORY and *STARTUP-SHORT may not be the best idea. The reason is the following: the *MEMORY parameter causes avast! to scan the operating memory of the computer (i.e. the true virtual memory). The *STRT-MEM-SHORT scans (besides the startup items) the modules loaded in memory (i.e. the corresponding files, not the real memory).
While the *MEMORY parameter may catch unknown (packed) variants of viruses that may not be detected on disk (they can be found since the packed file is already unpacked to memory), it may also fail to detect the viruses for which only a packed variant exists (and the VPS does not contain a signature for the unpacked code). Generally, avast! virus database is optimized (and checked) for the file detection - the "memory scan" is rather a special additional feature.

So, if you want a real thorough check of the memory/startup, I'd rather recommend using both the parameters *STRT-MEM-SHORT and *MEMORY together (or, *MEMORY, *MEMORY-SHORT and STARTUP for all the user accounts).

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Boot scan
« Reply #24 on: December 08, 2003, 03:18:44 PM »
Just to make it clear - the areas for ashQuick.exe should be separated by semicolons. Like

ashQuick.exe "*MEMORY";"*STARTUP-SHORT"


Hope this helps,
Vlk
If at first you don't succeed, then skydiving's not for you.