Delay loading of avast!

[Alioth]

Hi,

I have a small doubt. If avast! is loaded at same time that other system services, it cause a little delay at starting up time (only a few seconds), but, if avast! is configured to delay its loading until loading system services finishes, the computer starts up quickly, but avast takes a few seconds to start (it has a little circle red until it is loaded). I suppose that it means avast! is disabled during that seconds, so it won't be able to detect any virus. So, delaying loading of avast! is advisable? Run my system an important risk if I delay its loading?

Thanks.

(Please, sorry my English)

[Lisandro]

No, avast is protecting your computer at driver level.
It's not a security risk.

[Alioth]

Thanks for your reply. 

Now, I have another related question. If my system is already infected by a virus that runs at start-up and resides in memory, avast! will be able to detect it before I manually scan memory starting avast!? And if so, if I delay its loading it will do it too?

[Lisandro]

avast! will be able to detect it before I manually scan memory starting avast!?

Yes, the on-access scanning. Well, in fact if it is already running in memory, ashserv.exe (the scanner) should load to caught it.

And if so, if I delay its loading it will do it too?

No, the delay won't affect the detection.

That setting is safe to be checked.

[Alioth]

I have made an experiment in relation to my question. I downloaded the EICAR test file and I modified the registry to run it at startup and stay it resident in memory. Then, when the system starts up, the window of eicar.com appears (and it stays there until I close it), but the resident protection is unable to detect it, unless I start avast! and it scans the memory and the programs which run at boot-time. This doesn't change if I delay its loading (obviously ), because (I suppose it) eicar.com is loaded before resident protection is automatically activated.

I think avast! should automatically scan the processes which run at startup, and it should also avoid the infected processes run (for example, deleting the specific registry key). [Should I post this in the Whishlist?  ]

[Lisandro]

Any application has its own system requirements... to run, the antivirus requires some Windows processes are running, so, it's an egg and chicken problem... the antivirus requires the system, the system is not fully loaded...

[Alioth]

Yes, I know it's no easy detect malicious processes at startup, due to it's difficult to know when they will be loaded. For this reason, I suggest avast! should scan the processes which are loaded at startup when the system is totally loaded.

avast! scans the programs that run at startup when you start the program, right? I suggest avast! automatically scans those programs when the system is already loaded. Also, if one of those programs is a malicious program, avast! should automatically scan the memory.

So, if some malicious software is loaded before avast!, it will be detected automatically. It's just an idea. Please, tell me what do you think about.

(I hope you understand me, my English is not very good)

[Lisandro]

Yes, I know it's no easy detect malicious processes at startup, due to it's difficult to know when they will be loaded. For this reason, I suggest avast! should scan the processes which are loaded at startup when the system is totally loaded.

I think avast does this 8 minutes after logon, while doing the antirootkit scanning...

[igor]

I downloaded the EICAR test file and I modified the registry to run it at startup and stay it resident in memory.

How exactly did you do that? First, what registry key did you use to start it up - and how did you modify eicar, a print-message-and-exit-program, to "stay resident"?

This doesn't change if I delay its loading (obviously ), because (I suppose it) eicar.com is loaded before resident protection is automatically activated.

Even with "delay loading" of avast! service, it's certanly started before the user logs on.

I think avast! should automatically scan the processes which run at startup

That's too late - the files have to be scanned before starting.


To answer the original question - yes, before avast! service is started, it doesn't scan anything - i.e. it won't be detecting viruses. However, even the delay load should be quite soon under normal circumstances.

[Alioth]

Thanks for your interest, igor.

Sorry, I was wrong when I said that I left eicar.com resident in memory. I just avoided the window in which eicar.com was executed was closed. I thought that it was enough to leave it resident in memory because avast! detected that the memory was infected, but what avast! really detected was the registry value that I had added before. Please, forgive my ignorance.

So, I have repeated the “experiment”. I have done it in a virtual machine with a Windows 2000 SP4 with 128 MB of RAM. I have created a new value at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to run eicar.com at startup.

I have just realised what is the problem. If I log on quickly, eicar.com runs (it displays “EICAR-TEST-FILE…”) and avast! cannot detect it. I suppose this happens because avast! is not completely loaded yet. But, if I wait around 30 seconds and then I log on, avast! blocks it.

This “experiment” has been performed in a slow PC (Pentium II, 400 MHz), so maybe this problem doesn’t happen in a faster PC.

However, I think avast! could always prevent this problem if it scans the programs that will be run in the next logon (what it already does, if it is started manually) when the system shuts down (that's my suggestion).

Sorry again for the mistake.

[Lisandro]

However, I think avast! could always prevent this problem if it scans the programs that will be run in the next logon (what it already does, if it is started manually) when the system shuts down (that's my suggestion).

Igor, it won't be bad a registry monitor that does on-demand scanning of added items, won't it be good like Alioth suggests?

[tripplec]

I don't trust one tool to pick and block on its own. That is why I run ZoneAlarm Suite  8 on my systems with their AV turned off. Their AV does not play well with other AV product but leave their Spyware engine running and of course and new or threating apps are intercepted by the ZA vector which loads at the begining of the boot process.

I would get an alert once fully runing to allow that process to continue otherwise it's suspended until its released by the user.

Something to think about.

[igor]

I have just realised what is the problem. If I log on quickly, eicar.com runs (it displays “EICAR-TEST-FILE…”) and avast! cannot detect it. I suppose this happens because avast! is not completely loaded yet. But, if I wait around 30 seconds and then I log on, avast! blocks it.

This “experiment” has been performed in a slow PC (Pentium II, 400 MHz), so maybe this problem doesn’t happen in a faster PC.

Yes, this indeed shows the the service is started quite late on your system (or rather - finished starting).
It can be caused by the slower computer; the services are started before the user logs on (i.e. before processing such keys as HKLM/Software/.../Run) - or at least they are "started to be started". According to your experiment, however, the system didn't manage to start all of the planned services if you log on quickly.

However, I think avast! could always prevent this problem if it scans the programs that will be run in the next logon (what it already does, if it is started manually) when the system shuts down (that's my suggestion).

Would be nice, but doing anything "on shutdown" is very unreliable. The system is in a strange state, may kill your processes at any time... so unless you want to cancel the shutdown completely, it's not a good idea to start anything [bigger than a very tiny operation] at that moment.

[Lisandro]

Would be nice, but doing anything "on shutdown" is very unreliable. The system is in a strange state, may kill your processes at any time... so unless you want to cancel the shutdown completely, it's not a good idea to start anything [bigger than a very tiny operation] at that moment.

Wouldn't a registry key monitor solve this? (and startup folder monitor, also).