Author Topic: Why are shortcuts scanned by the Standard Shield?  (Read 13507 times)

0 Members and 1 Guest are viewing this topic.

streetwolf

  • Guest
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #15 on: July 04, 2008, 03:02:22 AM »
streetwolf,

please download the fixed driver version:
x86 binary: http://public.avast.com/~kurtin/flt_pub1/i386/aswMonFlt.sys
amd64 binary: http://public.avast.com/~kurtin/flt_pub1/amd64/aswMonFlt.sys

please let me know if it helps, thanks for your cooperation ;)

Tried the x86 version and it did NOT fix the problem.  I placed the file in system32/drivers and rebooted. 

If you looked at my other post you will see that many types of files are being scanned even though I specified the ones I wanted to be scanned.


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #16 on: July 04, 2008, 03:17:49 AM »
How to test if my links are being scanned into Vista 32bits SP1+?
The best things in life are free.

streetwolf

  • Guest
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #17 on: July 04, 2008, 03:21:48 AM »
How to test if my links are being scanned into Vista 32bits SP1+?

Just click on one of the folders in your Start Menu under All Programs.  Just about all of them have shortcuts.  Also make sure you set the option in the Standard Shield to 'show detail on performed action' so you will see the popup

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #18 on: July 04, 2008, 05:28:32 AM »
streetwolf, I don't have good news for you :-\

I've debugged some Vista system libraries and found out, when shortcut files are read, their EXE files are opened with the same method which is used for execution. In general, it's not even so easy to identify when a process is going to be launch. Standard Shield doesn't know it; it only assumes the opened file may be used for execution. Unfortunately, Vista opens those .lnk files (and .exe files) with the same flags which are used for execution. Anyway, these EXE files are scanned just once - rescan will only happen if they are changed.

Tested at Vista and Vista SP1 platforms.

Offline Vladimyr

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1639
  • Super(massive black hole) Poster
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #19 on: July 04, 2008, 07:42:17 AM »
PK
Does this mean that the performance impact of any AV's on-access scan engine will be amplified in propertion to the scanner's inefficiency by Vista's inherent "Linkscanner"-like behaviour?
There is a way that seems right to a man,
       but in the end it leads to death
.” - Proverbs 16:25

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #20 on: July 04, 2008, 02:38:47 PM »
streetwolf,
please use this fixed version, I guess we've solved the problem:
x86 binary: http://public.avast.com/~kurtin/public/flt_02/i386/aswMonFlt.sys
amd64 binary: http://public.avast.com/~kurtin/public/flt_02/amd64/aswMonFlt.sys

thanks.

streetwolf

  • Guest
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #21 on: July 04, 2008, 03:56:26 PM »
This new module took care of the shortcut problem.  No popups and no messages in the Resident log.  Nice going.

Now how about the other issues with both Standard and Web shield scanning files that they should not be scanning?  Under web shield I only specify exe,rar,zip files to be scanned, yet I see loads of popup messages for all kinds of files.  There is a lot of scans of jpgs and gifs from my TIF.  Just had a flv file scanned from a website.  Not for every site mind you.  Are these the orphaned memory mapped files mentioned in my other post about this?

I assume that when I tell avast! to only scan certain extensions it will do just that.  Unless I am assuming incorrectly.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #22 on: July 04, 2008, 05:33:50 PM »
memory mapped issue has been already fixed

Could you please identify if the problem was with Std Shield or Webshield? i.e. you can turn on "Show detailed info on performed action" either in StdShield settings or in Webshield settings. If it's StdSheild issue, what settings do you have in "Scanner (Advanced)" window?

streetwolf

  • Guest
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #23 on: July 04, 2008, 05:55:19 PM »
First off does the new aswMonFlt.sys module 'fix' the memory mapped issue?  If so I want to use the Resident Protection log from this point on to gather files that I believe are being scanned when they shouldn't.

Secondly, I think it would be useful to indicate in the Resident Protection.txt log which shield produced the entry.

Since the new module I've had .json files and a. vidt file scanned from the Web shield.  These came from www.cnn.com when clicking on a video.
Also my meager web site www.shap721.com produces this in the log:

http://cgi-wsc.chi.us.siteprotect.com/cgi-bin/CMForum/ahw050inxsel11a988f69e2?cc=0.21385138523430758&lang=en&country=US

Also got this one from the Standard shield:

C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2ACN16GB\catbg[1].jpg

So far it appears I am not getting as many 'false' scans as before.  So far only the ones I just mentioned.

My advanced settings in the standard shield are all disabled.  Nothing is checked.

To reiterate, my standard shield is set up just to scan executed programs.  My web shield is set up to scan only exe,zip,rar files.  That is it.
« Last Edit: July 04, 2008, 06:52:54 PM by streetwolf »

streetwolf

  • Guest
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #24 on: July 05, 2008, 06:32:29 PM »
After I just booted up my machine into Vista I looked at the resident log and saw that everything that is on my Start Menu was scanned.  This includes the targets of links.

Also a bunch of other stuff was in the log.  Here's a section of the log with this other stuff:

:\Users\Streetwolf\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Feeds Cache\index.dat
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008070520080706\index.dat
  • is OK

C:\Windows\SoftwareDistribution\AuthCabs\authcab.cab
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Feeds Cache\index.dat
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008070520080706\index.dat
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
  • is OK

C:\Users\Streetwolf\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
  • is OK

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db
  • is OK

C:\Windows\System32\winevt\Logs\Security.evtx
  • is OK

C:\Windows\System32\wbem\repository\INDEX.BTR
  • is OK

C:\Windows\System32\wbem\repository\OBJECTS.DATA
  • is OK

C:\Windows\System32\winevt\Logs\System.evtx
  • is OK

C:\Windows\System32\winevt\Logs\Application.evtx
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
  • is OK

C:\Windows\System32\wsqmcons.exe
  • is OK

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx
  • is OK

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx
  • is OK

C:\Windows\System32\wbem\repository\MAPPING2.MAP
  • is OK

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
  • is OK

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
  • is OK

C:\Users\Streetwolf\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
  • is OK

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx
  • is OK

C:\Windows\System32\wbem\repository\MAPPING1.MAP
  • is OK

C:\Users\Streetwolf\AppData\Local\GDIPFONTCACHEV1.DAT
  • is OK

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
  • is OK

C:\Users\Streetwolf\AppData\Roaming\Microsoft\Protect\CREDHIST
  • is OK

C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
  • is OK

C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
  • is OK



Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #25 on: July 05, 2008, 07:28:04 PM »
Questions without answer...

How to test if my links are being scanned into Vista 32bits SP1+?

PK
Does this mean that the performance impact of any AV's on-access scan engine will be amplified in propertion to the scanner's inefficiency by Vista's inherent "Linkscanner"-like behaviour?

The best things in life are free.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #26 on: July 08, 2008, 01:34:32 AM »
streetwolf, I've made some new changes and you can use this new driver:
x86 binary: http://public.avast.com/~kurtin/public/flt_03/i386/aswMonFlt.sys
amd64 binary: http://public.avast.com/~kurtin/public/flt_03/amd64/aswMonFlt.sys

Also note, scanning on-exec is not enough, you should turn DLL scanning on (except System DLLs, of course), but it's up to you...

Tech,
> How to test if my links are being scanned into Vista 32bits SP1+?
1) Turn off everything in "Scanner (Basic)" and "Scanner (Advanced)" windows.
2) Turn "Scan execututed programs (and all its three nested checkboxes)" in the first tab.
3) Terminate Standard Shield provider.
4) Start Standard Shield provider.
5) Click at Start button, click at "All Programs", open "Accessories" folder and LNK/EXE files will be scanned.

streetwolf

  • Guest
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #27 on: July 08, 2008, 05:18:12 AM »
This new aswMonFlt.sys seems to have done the trick regarding all the needless scanning that was done at boot time. 

My Start Menu is no longer being scanned and I did not see in the log any of the other files.  I'm seeing nothing but exe's and dll's (I took your advice).

Regarding dll scanning on the Basic standard shield.  There is no option to disregard system dll's.  That appears only under the advanced tab for opening files.  I disable all of the advanced stuff.  Is the basic dll scanner supposed to ignore system dll's on load?

And in this regard does avast scan the files Vista's Superfetch loads into memory at startup time?  SF slows things up all by itself.  Having avast in the mix can only make it slower (I suppose).

I'll do more testing and get back to you.  My interest is with the standard and web shield.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #28 on: July 09, 2008, 12:21:04 AM »
Regarding dll scanning on the Basic standard shield.  There is no option to disregard system dll's.  That appears only under the advanced tab for opening files.  I disable all of the advanced stuff.  Is the basic dll scanner supposed to ignore system dll's on load?
Yes, try to disable everything from advanced tab, except "do not scan system dlls on load" and check "scan dlls" on the Basic tab.

And in this regard does avast scan the files Vista's Superfetch loads into memory at startup time?  SF slows things up all by itself.  Having avast in the mix can only make it slower (I suppose).
Since Standard shield will not scan system DLLs at startup time, it should be fast. After Vista loading, you can check report log (or number of scanned files) and see what files have been scanned.

If you find out something interesting, please post a comment to let us know. Thanks.

streetwolf

  • Guest
Re: Why are shortcuts scanned by the Standard Shield?
« Reply #29 on: July 09, 2008, 02:48:06 AM »
pk:

What about all those other files I posted that are getting scanned?  You never said if they should or shouldn't be getting scanned.

Even some of my favicon.ico are getting scanned.  As are some jpg's and lots more stuff.  What is causing these files to be scanned?  IMO they shouldn't be scanned the way I have my shield set up.