real-time file system shield is scanning on perl script reads

[dave18]

Hello all!

I'm new to avast. I installed the free antivirus program (version 5.0.677) with just the file system shield. In the real-time file system shield settings I have:

"Scan documents when opening" unchecked
"Scan files when writing" checked

Under "Expert Settings", I have none of the "Scan when opening" options checked.

I'm running a perl script from a command window which reads all the files in a directory and computes a checksum for each file. The problem is, avast is scanning every file for which a checksum is computed even though these files are just being read and not written. This slows things way down.

In more detail, the executable file "Perl.exe" is being executed from the command line. It, in turn, reads the script file "crc32.pl" which, in turn, reads files "1.jpg", "2.jpg", etc. Avast is scanning "1.jpg", "2.jpg", etc. even though these files are just being read and not written. Is there any way to get around this? Note that "1.jpg", "2.jpg", etc. could be any file type, not necessarily .jpg.

Thanks for any help. I'm hoping that there are some settings that will allow me to run this script without having to manually turn avast off. Under "Expert Settings" "Exclusions", I even tried adding "Perl.exe" (with the full path) to the "X" list to exclude it when executed, but that didn't work either.

The product seems pretty nice so far, so I'm really hoping to resolve this. Thanks again!

-Dave

[swarnava]

make the entire folder into exclusion list..i think avast will not scan then

[DavidR]

Personally that is a poor choice, as it drives a coach and horsed through your security. Not to mention if you read the OPs post again you will find that there is no specific folder mentioned and I suspect from the description of the perl script actions, these files could be in multiple areas.

@ dave18
Could it be that your perl script isn't just opening the file up with read permissions, if it opens with write permission that could be what is triggering the scan and .jpg files would be in the default list of files types to be scanned.

You can exclude a file from a scan, but you can exclude a files actions.

Have you made any changes in the Sensitivity section of the expert settings ?

[dave18]

Thanks for the reply!

make the entire folder into exclusion list..i think avast will not scan then

I can't do that because I can potentially run this script on any folder on my system. Besides, if I was writing in these folders, I would want to do the scan. I just don't want to do the scan for reads.

Thanks again.

-Dave

[dave18]

Thank you, too, for the reply!

Could it be that your perl script isn't just opening the file up with read permissions,

That is a great idea. I did, in fact, check into that last night before I posted here. The perl script actually just does the parsing and directory work. It ultimately calls "crc32.exe" to compute the checksum. I checked the source code for "crc32.exe" (it was written using the C programming language) and it definitely opens the files in "read only" mode. I can provide the exact call to fopen() if needed.

Have you made any changes in the Sensitivity section of the expert settings ?

I just tried all levels of sensitivity, but nothing helped.

So I was playing around and I can reproduce this problem without using scripts at all. So, since this problem is more general than I originally thought, I'm going to go ahead and start a new thread with all the details. I'm afraid this thread might scare away anyone not comfortable with scripting!

Thanks again for all your suggestions! I hope to see you over in my new thread.

-Dave

[dave18]

OK, I just wanted to report back... I found a work around for the problem. It turns out, the extension ".jpg" is some kind of "magic" extension for avast. All I had to do was add entries in the "Exclusions" list for "*.jpg" and "*.jpeg" for "R" (reads) and that fixed the problem.

Here's the thread I posted on it if anyone's interested:

http://forum.avast.com/index.php?topic=66885.0

Thanks again for all the help!

-Dave

[DavidR]

You're welcome, unfortunately I'm not familiar with perl or C languages.

Contrary to what it may appear in my profile info to the left of my posts, I'm only an avast user and not an avast employee.

Well .jpg files are not just magic to avast as they are targeted by malware and if you don't scan files that are malware targets, etc. then many of the various testing organisations will mark it against you in tests.

Though for a read only I guess that is a reasonable workaround as it is when they are opened that they can be exploited if the file has been modified.

[dave18]

You're welcome, unfortunately I'm not familiar with perl or C languages.

No problem. Luckily, this problem wasn't perl or C specific. Otherwise, there might be trouble.

Contrary to what it may appear in my profile info to the left of my posts, I'm only an avast user and not an avast employee.

Well, you've been extremely helpful, so I do appreciate that!

Well .jpg files are not just magic to avast as they are targeted by malware and if you don't scan files that are malware targets, etc. then many of the various testing organisations will mark it against you in tests.

That makes sense. I wonder if any of the test organizations mark down for scanning a file on read when you tell it not to scan files on read!

Though for a read only I guess that is a reasonable workaround as it is when they are opened that they can be exploited if the file has been modified.

That was my thinking. In order to exploit the file, it must be created or modified, i.e. written. So instead of scanning it the 100 times I read it, just scan it the one time I write it. I don't know, maybe that's flawed thinking, but it seems logical to me.

Thanks again for the help!

-Dave

[DavidR]

Well test organisations can't really fault user choice overriding a default action

Well in the case of a .jpg if it is infected before it gets to your system then the act of just opening it (if it weren't scanned could be enough), no need to modify, though the act of copying it into your system (it would be classed as a new file, creation) should see it scanned.

I don't know how the avast Transient cache would come into effect here if the file is opened multiple times it should be scanned once and if clean, not again. Unless a) the file changes or b) you have a virus definitions update, in which case the transient cache would be cleared.

avast 5 - Scan Transient and Persistent caching to speed scanning.

Use transient caching - if transient caching is used, a file that has been scanned, and in which no infection was detected, will not be scanned again the next time it is accessed. However, this is only valid until the next virus definitions update, as the file may contain an infection that was not previously detected but which may be detected based on the new virus definitions. Also, information that the file is clean will only be stored in the computer's operating (temporary) memory. This means that when the system is restarted the information will be lost, therefore the file will also be scanned again the next time it is accessed after a system restart. This box is checked by default; if you want files to be scanned every time they are accessed. this box should be unchecked.

Use persistent caching - if persistent caching is used, the information about the scanned file is stored in the permanent memory. This means it is not lost after a system restart and it is also not affected by virus definition updates. Consequently, persistent caching is suitable only for files which are guaranteed not to contain any virus infection e.g. operating system files, files signed by trusted publishers, or other files covered by the avast! whitelist. This box is checked by default; if you want all files to be scanned regardless of their trust status, this box should be unchecked.

Glad I could help.