Understanding persistent cache

[NewbieAvastUser]

I was poking through the scan switches on the GUI, noticed persistent scan, then started to read up on it.  There are outstanding questions that I'm hoping to get help on.

Some people worried that files in the cache will not be scanned using updated virus definitions.  The response to this was that very few, specialized files make it into the cache.  

1) Is that an acknowledgement that the files will not be scanned using updated virus definitions?

2) Is this the intended way of using persistent cache, accepting the risk of not scanning the files therein with updated definitions?

3) If very few files make it into the cache, why would it save much scan time?  (Is it because the files are very large?)

4) I see that the "Store data about scanned files in persistent cache" is activated, but "Speed up scanning by using persistent cache" is not.  Why would the default be to spend the time populating the cache but not using it?

[DavidR]

There are two caches, the Persistent cache and the Transient cache.

avast 5 - Scan Transient and Persistent caching to speed scanning.

Use transient caching - if transient caching is used, a file that has been scanned, and in which no infection was detected, will not be scanned again the next time it is accessed. However, this is only valid until the next virus definitions update, as the file may contain an infection that was not previously detected but which may be detected based on the new virus definitions. Also, information that the file is clean will only be stored in the computer's operating (temporary) memory. This means that when the system is restarted the information will be lost, therefore the file will also be scanned again the next time it is accessed after a system restart. This box is checked by default; if you want files to be scanned every time they are accessed. this box should be unchecked.

Use persistent caching - if persistent caching is used, the information about the scanned file is stored in the permanent memory. This means it is not lost after a system restart and it is also not affected by virus definition updates. Consequently, persistent caching is suitable only for files which are guaranteed not to contain any virus infection e.g. operating system files, files signed by trusted publishers, or other files covered by the avast! whitelist. This box is checked by default; if you want all files to be scanned regardless of their trust status, this box should be unchecked.

1. The above should answer that for you - files in the Persistent cache don't get in there easily and shouldn't be an issue.

2. Again the above should answer that for you.

3. There is obviously enough candidates for the persistent cache for sufficient savings to make it worthwhile. See this blog entry from around the time these changes were made http://blog.avast.com/2010/04/25/how-to-make-the-full-system-scan-6x-faster-in-10-days/. Most people found that their scan times came down.

[NewbieAvastUser]

DavidR,

Thanks for that.  I did indeed read both articles multiple times before posting.  They seem to be the most relevant for my query, but I still found myself unsure about my understanding of them.  Here was my reason for posting the questions (enumerated based on the same question numbers as my original post).

1) It seemed like the answer is yes, but being unfamiliar with what small set of files go into the cache (and with Windows under the hood in general), I was hoping to confirm my understanding.  In particular, I was not familiar with the factors that cause such files to be so resistant to malicious modification or replacement as time wore on.  I'd still be interested in a layman's summary of this, if such an explanation is even possible.

2) Same reason as for (1)

3) My take on this article (from a layman's perspective) is that it explains speedups from one implementation of persistent cache to the next, but not the speedups from using persistent cache versus not using it.  Empirically, the article implies there is speedup, but I was wondering more about the reason.  With very few files qualifying for caching, it would seem that they must be very big in order to impact the scan.  This is "obvious" from a nonexpert viewpoint, and I was seeking to sanity check it.

4) I'm was wondering why the default was to spend time populating the cache but not using it.

[DavidR]

Well I don't believe it is that small, but they are very selective and does seem to make a difference.

It is hard to give a simpler explanation as a) as an avast user I'm not privilege to the underlying methods/rules employed to ensure that those considered safe for selection and b) ensuring they remain unchanged or would be rescanned. Basically a file that is digitally signed if changed that digital signature will no longer be valid and would mean it would have to be scanned. Before that modification occurred the real-time shields should also scan it.

Files at risk or presenting an immediate risk if infected are scanned on creation, modification, being opened (depending on scanner settings and risk) or being Run. So a new file regardless would first be scanned as it isn't in the persistent or transient cache. Subsequent to that scan it may be added to the persistent cache (if trusted publisher, signed, etc.) or if not probably the transient cache.

So essentially it takes a few scans, etc. before the cache would be fully populated and at which point those in the persistent cache won't be continually scanned until their status changes.

[NewbieAvastUser]

OK, thanks.  I'll trust persistent caching then.  Which means I will enable the use of persistent cache (even though it isn't enabled by default for some reason, despite the fact that caching itself is enabled).

[DavidR]

You're welcome.