Author Topic: What files are scanned on opening / What files do you scan at opening  (Read 3043 times)

0 Members and 1 Guest are viewing this topic.

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
With the status on (the bar showing what files are scanned) in notice that only .exe files are scanned at startup time (not libraries like .dll files). I guess normally viruses in .dll files would be detected when the files is infected (modiflied) BUT what happends if I put in a CD with some .dll files that has been infected and then starts the .exe files (not infected) that load these .dll files. Will the virues then be activated?

I tried to add DLL to the "scan on open" list, but then the system got into loops and locked up (scanned over and over).

From my time with McAfee I remember that they scanned all the possible types at open as well as on write/modify (ok, there was an option for choosing). Whilst avast! only used the build-in list for write/modify, and as default only scanes .exe and .com files on open. Have I gotten it right?

Is there any special types that should be scanned at "open" (do you other people out there have any experience to share)?  Or is it safe enough scanning only .exe/.com (as default) and only scan other file types at write/modify?
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11816
    • AVAST Software
Re:What files are scanned on opening / What files do you scan at opening
« Reply #1 on: December 13, 2003, 01:28:44 PM »
The system locks when you add DLL into the list of files to be scanned on open? That definitelly shouldn't...

Could you please post some more info?
1. What OS do you have?
2. What exactly were you running?
3. What are the other settings of the Standard Shield provider?
4. Specifically - do you have the "Display detailed info on performed action" turned on?
5. What does it mean "get into loops"?

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Re:What files are scanned on opening / What files do you scan at opening
« Reply #2 on: December 13, 2003, 04:00:19 PM »
Win98se. Lots of programs running, but the one originally hanging it seem to be Trillian. The "display info" thing is turned on (to see what files are scanned) and when strating Trillian it keeps showing all the Trillian .DLL files constant (they don't disappear after a short while as usually) and everything "halts" (I guess because theres no free CPU%).

Also, when I have .DLL in the "scan on open " list, I can't get the system to shut down (it's waiting for some process), and when I kill that process (no name) shut down is aborted too.

UPDATE:  It hangs when starting "MailWasher.exe" as well.
And even after I kill the process that makes it hang, I have a busy mouse pointer and a hanging process that is not in the process list, and it's impossible to start any other program (nor shut down).

Most programs work OK when set to scan DLL at opening. Haven't testet all programs, but Trillian and MailWasher causes hang anyway...

LAST UPDATE:  When I turn off "Show detailed info on performed action" THEN scanning DLL at open work without hang. But why does it hang on several program with this options enabled ?
« Last Edit: December 13, 2003, 04:24:57 PM by Lars-Erik »
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11816
    • AVAST Software
Re:What files are scanned on opening / What files do you scan at opening
« Reply #3 on: December 14, 2003, 07:17:17 PM »
Well, the whole problem of displaying the info on the performed action is not as easy as it may seem.
The files may be accessed at a "very bad moment" - not from a user application, but deep from the operating system itself (since it may be the OS who is loading the implicitly imported libraries). At that moment, the "resources" needed to do some GUI-related operations may be locked by the OS. So, when avast! tries do display the info, it fails and locks up because the API functions it's calling simply don't work (in fact, it's not even the displaying, but just queueing the display requests; btw, it's not really locked - there should be a 3 minutes timeout - but I guess it won't help you much).
avast! is trying to use as few OS functions as possible to avoid the possible lockups - but especially on an operating system like Win9x (with a lot of non-reentrant 16bit code) it's not enough.

I remember Vlk had some ideas on improving this feature... maybe this will push him to implement them  ;D