Avast 4.8 skips "System Volume Information"

[Malkor]

As I have tried to explain - the numbers in the interface are not reliable.

Can you post the screenshots of the log showing the same files being scanned please?

I am going to assume you're saying Avast! is not reliable.

I will post a screen shot whenever I get my other test rig fully operational.  It's still working on updates.

[alanrf]

By the way the thorough scan with archives is precisely the same scan that is performed when you right click on a file in the explorer folder view and select that you want the file scanned by avast. 

Just for your own interest you may wish to perform that scan on one of the files in question to see what numbers are reported to you.

[Malkor]

Avast! Thorough scan using the SUI.
65115/1615 (Roughly 14200 files are done in the preliminary check and are scanned twice).
24:25
0 infected files
7.2GB of data.

Avast! Quick Scan on drive C: using right click and pressing "Scan C:\" from My Computer.  It does scan "System Volume Information."
~59000 files

Avast! Boot time scan on drive C: by scheduling it from the SUI.
59049 files
1855 folders

These are the results from a few days ago, just in case that helps you or not.

[alanrf]

When you scan archives avast is reporting back to you all the files it scanned within the file. 

It is reliably reporting to you that it scanned a lot more in an archive file than 1 file.  When you are unaware of that it is easy to be confused by the numbers you see in the user interface. 

You are not the first to say this in the forum - it comes up over and again and always causes an interesting discussion.  Indeed, a long time ago, I was the one in your position pointing out that the numbers on an archive scan did not make sense.

[alanrf]

I do not believe there is a "preliminary" check.  However, if am wrong I am sure I will be corrected by someone in the team.

[Malkor]

For some reason, according to Filemon, Avast! is scanning absolutely nothing that makes sense during the first files.  All it comes up with is "I:\" (Long story short, media reader has drives C-F with XP SP2 on that machine) with a few directory hits.  Although the SUI keeps displaying random system directories and the Avast! directory.  I started a second scan and aborted once it began Documents and Settings, I get 2.1GBs of data scanned.

The test machine fails to open "System Volume Information" using the thorough scan using the SUI (and selecting the system scan if I hadn't already mentioned).

I went ahead and ran Filemon on the Quick Scan, and the compressed file is 167KB.

[igor]

And can you upload the ashQuick FileMon log to ftp://ftp.avast.com/incoming - for example?
Thanks.

[Malkor]

Yup and done.

[igor]

I must say the log didn't show anything suspicious, the files were scanned as usual...
Anyway, I got probably slightly confused by the references to "quick scan" in some posts (it's not always clear where "quick scan" is used to describe Quick/Standard/Thorough scan sensitivity inside Simple UI, and when it means Explorer Extension (= ashQuick.exe)).

First, regarding the double scanning:
- When Simple UI runs a Standard or Thorough scan, it performs a rootkit scan first (on specific areas - not the whole disk, as far as I know). So, it may seem that these areas are scanned twice, but it's a different type of scan
- There's additional initial disk access that "browses" all the selected areas somehow - to estimate the size and display the progress somehow - so it File Monitor log, it might seem that there another scan running - but it's as expected.

So, you are saying the all the scans (ashQuick.exe, boot-time scan, Quick/Standard scan in Simple UI) scan the files in System Volume Information, but Thorough scan in Simple UI doesn't... right?
What if you choose "Folder selection" in Simple UI (with Thorough scan) and select the System Volume Information folder only - does the scan finish immediatelly?

[igor]

Damn, when I was writing the post (and formulating the questions), I've realized that there indeed might be a problem there... I'll check it tomorrow and will let you know.

[Malkor]

Only whenever the rootkit scan is invoked, Avast! SUI fails to access the System Volume Information.  Assuming I answered that correctly.  Scans that don't invoke it (AshQuick.exe*, Boot-time scan**, individual folder scan in SUI*) work fine.

I wasn't familiar with the rootkit scan, though thanks for clarifying.

*XP only.  On Vista SP1 the AshQuick causes Vista to display "Access Denied" error and the SUI scan only scans 20kbs of data.
**Not tested on Vista yet.

Edit: I would probably suggest people to reference the shell extension as Quick Scanner and SUI one as Quick Scan.  I get confused too and assume people meant the shell extension unless the AshQuick.exe is specified.

[igor]

The problem should be fixed in the next program update.
Thanks for your help!

[Malkor]

You're most certainly welcome.  Keep up the good work, igor.

[igor]

The issue should be fixed in the latest beta.