Author Topic: on-access scanner (standard shield) delay  (Read 9521 times)

0 Members and 1 Guest are viewing this topic.

Toni

  • Guest
on-access scanner (standard shield) delay
« on: April 06, 2004, 04:57:38 PM »
Hi,
I first downloaded and registered Avast! 4 Home on 26-02-2003.
Tried it for a couple of days and got rid of it, because I didn't like the delay when starting up programs, double clicking a file to open it in a program and deleting a file in Windows Explorer.
(Does it scan files before allowing deletion ?)

I used AVG Free since then, because it didn't show this behaviour and it had a reasonable track record.
I manually check for updates everyday. But the last couple of months, while trying to update the virus database, I constantly received the AVG message "An automatic connection to the internet could not be established". (Honestly I needed 10-12 attempts on average before it worked or I received the message that it was already uptodate.)

Then on 27-03-2004, I received an email from support at Avast to register again because my activation key would soon expire.
I downloaded, re-registered, and gave it another shot.
But the on-access scanner is still showing the same behaviour.
The delay I mentioned above. All providers have their sensitivity set to normal and the Outlook/Exchange provider is stopped permantly.

I only have a problem with the added delay before a program really begins its startup sequence, or before I get a "Confirm File Delete" dialog box after pressing the delete key in Windows Explorer.
The speed of any running application is not affected as far as I can tell.

I tried adding the drive letter D:\ (where I install all programs) to the list of locations that will not be scanned and/or tested in Customize >> Advanced tab of the Standard Shield but it did not help.
Any suggestions ?

I also noticed that pagefile.sys is entered as *\PAGEFILE.SYS in this list.
What's the meaning of the asterisk ?
I hope it's not C:\.
Because I have it on a different partition G:\ (on another harddisk).

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:on-access scanner (standard shield) delay
« Reply #1 on: April 06, 2004, 05:08:19 PM »
Asterisk means "anything" - i.e. file called pagefile.sys will not be scanned wherever it is (now I'm not sure why it isn't just ?\pagefile.sys (question mark means "any character")... can a pagefile be in a subdirectory??)

Otherwise - can you post some info about your computer? What operating system do you use?
Does it help when you stop some of the resident providers (especially Standard Shield)?

Toni

  • Guest
Re:on-access scanner (standard shield) delay
« Reply #2 on: April 07, 2004, 12:11:08 PM »
Hi Igor.
Thanks for replying.
Quote
can a pagefile be in a subdirectory??
No.
Quote
Otherwise - can you post some info about your computer? What operating system do you use?
I don't think this has anything to do with my question because it's not the speed at which the programs run, but the delay between double clicking and program start. Or the delay between pressing the delete key in Windows Explorer and getting the "Confirm File Delete" dialog box.
It's not there with other virus scanners, for example AVG and Antivir.
But here you are :
Motherboard  : Abit AN7
CPU                : AMD Athlon XP 2500 (Barton)
Memory          : 1GB (=2 x Corsair XMS 512MB DDR400 CL2)
Graphics card : Asus Radeon 9800Pro/TVD 256MB
Harddisk         : 2x WD Raptor WD740GD 74GB 8MB cache
OS                  : Windows XP SP1
First harddisk :
C:\ partition : WinXP, Avast! v4.1 build 4.1.357, Sygate Personal Firewall v5.5 build 2525, Ad-Aware 6, and scanner utility.
D:\ partition : All Applications like Adobe Illustrator, Adobe Photoshop, Discreet 3D Studio Max 6 etc.
E:\ partition : various tools and utilities.
F:\ partition : music

Second harddisk :
G:\ partition : pagefile.sys (nothing else).
H:\ partition : cache for Adobe Illustrator (nothing else)
I:\ partition : cache for Adobe Photoshop (nothing else)
J:\ partition : cache for CD and DVD burners (nothing else)
K:\ partition : storage for artwork done with graphic programs
L:\ partition : cache for Internet Explorer (also used as default location for downloaded files)

Quote
Does it help when you stop some of the resident providers (especially Standard Shield)?
Yes, only when Standard Shield is disabled. I already narrowed it down to the Standard Shield, as per the topic title. ;)
I only have the Internet Mail and Standard Shield providers running.
The Instant Messaging, P2P Shield and Outlook/Exchange providers are permanently stopped, because I dont have these programs.

I have these services running :
I attached a text file (5KB) with all running/disabled/manual services but I can't see it. >:(
No paperclip, nothing. If you need it, let me know how to get it to you.

EDIT :
     I forgot to mention this.
     The delay occurs when the tray icon with the lower case "a" is spinning.
END EDIT
« Last Edit: April 08, 2004, 09:50:18 AM by Toni »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:on-access scanner (standard shield) delay
« Reply #3 on: April 13, 2004, 05:26:51 PM »
I was asking about the basic configuration just to make sure we aren't speaking about 486-system with 8megs of memory  ;)  Your machine is certainly a fast one.
(The operating system is quite in importand info, regarding the Standard Shield - different pieces of code are used on different operating systems).

The blue icon is spinning when avast! is scanning something. So, I think it would be nice to find out what is scanned (I think that scanning a few files shouldn't cause much delay on your machine). You say that putting D:\ into the list of exceptions didn't make any difference. Maybe it's some file from C:\ that's started before these operations... does it help when you put C:\* into the exceptions box?
Or - what exactly did you put there - D:\ or D:\* ?

You can keep the resident protection control window open and watch the "Last scanned" item for the Standard Shield to find out what's being scanned. Or, you can temporarily turn on the "Show detailed info on performed action" option.

How big is this "delay" actually?

Toni

  • Guest
Re:on-access scanner (standard shield) delay
« Reply #4 on: April 15, 2004, 10:43:59 AM »
Quote
Or - what exactly did you put there - D:\ or D:\* ?
D:\
Quote
How big is this "delay" actually?
Examples :
Photoshop 7 from clicking to splash screen without Standard Shield : 3 seconds, with Standard Shield : 11 seconds.
Illustrator 10 from clicking to splash screen without Standard Shield : 2 seconds, with Standard Shield : 9 seconds.
Quote
Or, you can temporarily turn on the "Show detailed info on performed action" option.
Right after login : It looks like the on-access scanner is checking all partitions for executables and some DLLs, and scans them.
Start menu : just hovering over the menu options triggers scanning of DLLs and executables. ( ???)
When I start Photoshop, it scans many DLLs, some plugins, ImageReady, Acrobat reader and lastly Photoshop itself.
Starting Illustrator shows similar behaviour.
Internet Explorer : many many DLLs are scanned, including the notepad executable. ( ???)
Windows Explorer : just selecting a folder with for example a Photoshop file in it triggers scanning of the Photoshop executable. ( ???)
Or selecting a folder with a PDF file in it triggers scanning of the Acrobat reader executable. ( ???)

OK, after this I rebooted and Explorer (the shell) locked up right after login.
I could move the mouse pointer, but anything I clicked on, nothing happened.
So I press Ctrl+Alt+Del, select Task Manager (with the TAB-key) and hit Enter.
Task Manager window disappears and the Explorer bar at the bottom of the screen disappears, only desktop icons visible. So I hit Ctrl+Alt+Del again : nothing. Several times more : nothing.
So I press and hold down the power button to shut down.
Unplugged the power cable from the PSU for 2 minutes to power cycle and then rebooted. Same problem.  Repeated previous step, and all was OK for about an hour. Then Explorer locked up again. So I rebooted and unchecked "Show detailed info on performed action".
I don't know if that's what caused the lockups, but Explorer is not locking up anymore since then.

But to be safe I just restored an image (DriveImage) of my OS and installed programs to get rid of everything. So Avast! is not installed anymore at the moment. I temporarily re-installed AVG, until there is an explanation or solution to this. I have not given up yet. ;)

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:on-access scanner (standard shield) delay
« Reply #5 on: April 15, 2004, 05:17:24 PM »
Quote
Or - what exactly did you put there - D:\ or D:\* ?
D:\

D:\ doesn't mean anything in this box; it should be D:\* - if you want to exclude the whole D: drive.

Photoshop 7 from clicking to splash screen without Standard Shield : 3 seconds, with Standard Shield : 11 seconds.
Illustrator 10 from clicking to splash screen without Standard Shield : 2 seconds, with Standard Shield : 9 seconds.

We just tried and there was no noticeable delay in starting Photoshop with Standard Shield on/off. There must be something else going on there... but right now, I really don't know what it could be. 3-->11 seconds is a big difference... you have a fast system with fast drives, so the mere scanning shouldn't influence the startup time that much.

Right after login : It looks like the on-access scanner is checking all partitions for executables and some DLLs, and scans them.

It's not the scanner, it's the system that is loading these files. The scanner scans them on-access.

Start menu : just hovering over the menu options triggers scanning of DLLs and executables. ( ???)
It's the same - when you move through the start menu, the system opens the executables (e.g. to load the icon from them).

Windows Explorer : just selecting a folder with for example a Photoshop file in it triggers scanning of the Photoshop executable. ( ???)
Again - the Explorer is trying to display the correct icon for the Photoshop file; the file is associated to the Photoshop executable, so Explorer opens it to read the icon from there. So, avast! scans it.

OK, after this I rebooted and Explorer (the shell) locked up right after login.

I would like to know what were the exact settings of the Standard Shield provider, regarding the scanning of opened and created files. It is possible that this "Show performed info" option is able to cause some troubles during bootup if a very high sensitivity is set - though I believe there was some kind of workaround implemented some time ago (Vlk may have some more info...)


I really don't know... are there any special tools automatically started with your system?

Toni

  • Guest
Re:on-access scanner (standard shield) delay
« Reply #6 on: April 15, 2004, 10:25:18 PM »
I'm with you on the D:\ versus D:\*.

Quote
Quote from: Toni on Today at 10:43:59
Right after login : It looks like the on-access scanner is checking all partitions for executables and some DLLs, and scans them.

It's not the scanner, it's the system that is loading these files. The scanner scans them on-access.

I disagree.
Because this would mean that at startup the system is also loading MANY applications from partitions D:\ and E:\. Many *.exe files are being scanned from these partitions.
With detailed logging on :
First there are mainly executable filenames from the C:\ partition.
Followed by a mix of executable filenames from partitions C:\, D:\, and E:\.
Lastly the righthand side of the screen is almost completely covered with executable filenames from partitions D: and E: only. (And the odd DLL.)

Why should Windows load DriveImage, Partition Magic, 3DS Max and almost all Adobe applications right after logon ?
(To name just a few.)

Quote
It's the same - when you move through the start menu, the system opens the executables (e.g. to load the icon from them).

Again - the Explorer is trying to display the correct icon for the Photoshop file; the file is associated to the Photoshop executable, so Explorer opens it to read the icon from there. So, avast! scans it.
Wasn't the file IconCache.db in C:\Documents and Settings\ProfileName\Local Settings\Application Data meant to prevent the system from having to do this ?
I rarely install/uninstall programs. Maybe the odd Illustrator plugin, twice a year. So there is a high probability that IconCache.db contains all icons to be displayed and no unused ones.

Quote
I would like to know what were the exact settings of the Standard Shield provider, regarding the scanning of opened and created files. It is possible that this "Show performed info" option is able to cause some troubles during bootup if a very high sensitivity is set - though I believe there was some kind of workaround implemented some time ago (Vlk may have some more info...)
I don't have Avast installed anymore, but luckily I had the settings written down in my notepad.
Sensitivity : Normal.
Scanner (Basic) tab : all options checked.
Scanner (Advanced) tab : "Scan files on open" checked, with nothing in "scan files with these extensions:", "Always scan WSH-script files" checked.
Blocker tab : "Default extension set" checked, "Allow the operation" selected.
Advanced tab : nothing checked, "list of locations that will not be scanned" unchanged. (Removed the D:\ because it didn't work.)

Quote
I really don't know... are there any special tools automatically started with your system?
Adobe Gamma Loader is the only entry in the Startup folder. The "Run" keys in the Registry contain these values :
at HKCU :
ashMaiSv                      C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

at HKLM :
ashMaiSv                      C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
avast!                           C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
CloneCDElbyCDFL         "D:\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
Logitech Utility              Logi_MwX.Exe
NvCplDaemon               RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
QuickTime Task             "D:\QuickTime\qttask.exe" -atboottime
SmcService                    C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
zBrowser Launcher       C:\Program Files\Logitech\iTouch\iTouch.exe

(At the time when Avast was still installed ofcourse.)

Also I tried to send you a list of services (see earlier post), but I don't know if you received this. Again, let me know.
« Last Edit: April 15, 2004, 10:30:57 PM by Toni »

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:on-access scanner (standard shield) delay
« Reply #7 on: April 15, 2004, 11:01:46 PM »
Quote
I disagree.
Because this would mean that at startup the system is also loading MANY applications from partitions D:\ and E:\. Many *.exe files are being scanned from these partitions.
With detailed logging on :
First there are mainly executable filenames from the C:\ partition.
Followed by a mix of executable filenames from partitions C:\, D:\, and E:\.
Lastly the righthand side of the screen is almost completely covered with executable filenames from partitions D: and E: only. (And the odd DLL.)

There must be an app in your startup that is touching these files, triggering the on-access scan... E.g. the Office Fast Search feature is notorious for scanning lots of files on systems startup...
You can use FileMon to see which program is accessing the EXE files...

Vlk
If at first you don't succeed, then skydiving's not for you.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:on-access scanner (standard shield) delay
« Reply #8 on: April 16, 2004, 09:28:47 AM »
In my opinion, it can easily be done by Explorer - loading the icons for start menu, for desktop, etc. Yes, there is some kind of cache for the icons, but who knows how it works (Explorer may just be checking if the file has changed, don't know...)

Anyway, that doesn't explain the slowdown of starting applications...
« Last Edit: April 16, 2004, 09:29:32 AM by igor »

Toni

  • Guest
Re:on-access scanner (standard shield) delay
« Reply #9 on: April 16, 2004, 01:16:58 PM »
Quote
You can use FileMon to see which program is accessing the EXE files...
I don't have Office.
But I downloaded FileMon.
 and re-installed Avast. FileMon is a real eye-opener !
Igor, you were so right.
At startup it's indeed Explorer (the shell incarnation) that's triggering the on-access scanner. (Also when hovering in the Start menu.)
Code: [Select]
Example :
55   10:40:15   explorer.exe:1360   QUERY INFORMATION   E:\Acrobat 5.1\Reader\AcroRd32.exe   SUCCESS   Attributes: A   
56   10:40:15   explorer.exe:1360   QUERY INFORMATION   D:\Adobe\Illustrator 10\Support Files\Contents\Windows\Illustrator.exe   SUCCESS   Attributes: A   
57   10:40:15   explorer.exe:1360   QUERY INFORMATION   D:\Adobe\Photoshop 7.0\ImageReady.exe   SUCCESS   Attributes: N   
58   10:40:15   explorer.exe:1360   QUERY INFORMATION   D:\Adobe\Photoshop 7.0\Photoshop.exe   SUCCESS   Attributes: A   
59   10:40:15   explorer.exe:1360   QUERY INFORMATION   D:\Adobe\Adobe Type Manager\atmfm.exe   SUCCESS   Attributes: A   
60   10:40:15   explorer.exe:1360   QUERY INFORMATION   D:\Adobe\Adobe Type Manager\Readme.WRI   SUCCESS   Attributes: A   
61   10:40:15   explorer.exe:1360   QUERY INFORMATION   D:\Ahead\Nero\nero.exe   SUCCESS   Attributes:    
62   10:40:15   explorer.exe:1360   QUERY INFORMATION   D:\Ahead\coverdesigner\CoverDes.exe   SUCCESS   Attributes: A   
63   10:40:15   explorer.exe:1360   QUERY INFORMATION   D:\Ahead\Nero\Misc\NeroImageDriveInst.exe   SUCCESS   Attributes:    
64   10:40:15   explorer.exe:1360   QUERY INFORMATION   D:\Ahead\Nero\WaveEditor\WaveEdit.exe   SUCCESS   Attributes:    
65   10:40:15   explorer.exe:1360   QUERY INFORMATION   D:\Ahead\Nero Toolkit\CDSpeed.exe   SUCCESS   Attributes:    
66   10:40:15   explorer.exe:1360   QUERY INFORMATION   D:\Ahead\Nero Toolkit\DriveSpeed.exe   SUCCESS   Attributes:    
67   10:40:15   explorer.exe:1360   QUERY INFORMATION   D:\Ahead\Nero Toolkit\InfoTool.exe   SUCCESS   Attributes:    

But, if I interpret the log correctly, Explorer is only requesting attribute information from the files.
(Correct me if I'm wrong, I'm new to FileMon.)
So why scan these files if they are not really executed ?
I wish I could switch off this part of the scanning process.

Then the delay in Explorer (the filemanager incarnation).
Right-clicking and selecting delete caused a delay before the "Confirm File Delete" dialog box showed up.
FileMon shows that csrss.exe is taking a very long time to do it's thing. 3-5 seconds !


Now for the delay when starting programs.
Right after logging on :
After clicking the Photoshop shortcut in the Start menu, the FileMon log shows that csrss.exe is again taking a very long time to do it's thing. It kicks in at various stages of the Photoshop startup process, totaling about 9 seconds.
Then I close Photoshop, wait for a minute, and start it up again.
It starts up much faster. I look at the FileMon log, and csrss.exe is executed less frequently than starting up Photoshop for the very first time. Apparently (or luckily) it remembers some information from the first run.
(BTW, same thing with Illustrator.)

So I search the internet and find this about csrss.exe : http://support.microsoft.com/?kbid=555021

It sounds similar to the problem with my PC.
Maybe somewhere/somehow during the first uninstallation of AVG, or the first installation of Avast, something went wrong with my user profile.

Now I have to backup some settings, files and folders, before deleting my user profile with the User Profile Deletion Utility : http://www.microsoft.com/downloads/details.aspx?FamilyID=901a9b95-6063-4462-8150-360394e98e1e&displaylang=en

I'll let you know if this resolves the problem.

Toni

  • Guest
Re:on-access scanner (standard shield) delay
« Reply #10 on: April 17, 2004, 04:56:12 PM »
Decided against copying over my settings to a newly created profile.
So I defragmented and backed up the C, D, and E partitions to CD-RW.
Then created a new user profile (Administrative).
Rebooted and logged on as the new user.
Result : same problems.

Then I disabled prefetching in the Registry (from 3 to 0) and cleared the prefetch cache (C:\Windows\Prefetch).
This solved the "Right-clicking and selecting delete caused a delay before the "Confirm File Delete" dialog box showed up".
Just selecting a folder or file in Explorer, triggers scans, remains.
First startup of applications causes a delay, remains.

So I formatted partitions C, D, and E.
Then I re-installed Windows XP with the original installation CD.
Did not tweak anything.
Installed Avast. Did not change anything else but selecting "detailed logging".
Installed Photoshop and Illustrator and made settings for them.
"Right-clicking and selecting delete caused a delay before the "Confirm File Delete" dialog box showed up", remains.
Just selecting a folder or file in Explorer, triggers scans, remains.
First startup of applications causes a delay, remains. (But it's down to 5 seconds now. :))

Disabled prefetching again. Solved only the first "Confirm file delete" problem.
Uninstalled Avast and just to make sure ran avclear4.exe.

Installed AVG.
Result : no delays.

Uninstalled AVG.
Installed Antivir.
Result : no delays.

This all leads me to think that Avast is scanning more thorougly than the other 2 virusscanners.
(Or maybe more thorougly than necessary.)
I've decided that Avast is not for me.

Anyway, thanks for the time and effort you put into this. ;)
« Last Edit: April 17, 2004, 05:00:42 PM by Toni »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:on-access scanner (standard shield) delay
« Reply #11 on: April 19, 2004, 05:30:54 AM »
I've decided that Avast is not for me.

 :'(  :'(  :'(  :'(  :'(
The best things in life are free.