Author Topic: Why IM-shield and P2P-shield (Read 5964 times)

Lars-Erik · « **on:** March 21, 2011, 12:32:19 AM »

While debugging other things I have looked a bit a the realtime scanners in avast!
And I have some thought/questions that I'd like some input on :-)

What is really the point of the IM-shield and P2P-shield?

All the files I downloaded with Vuze (P2P) or Trillian (IM) was scanned by the File-shield.
The IM-shield and P2P-shield scanned INI, XML and other files in the programs diretories for Vuze and Trillian. But also here the EXE files where scanned by the File-shield as well.

So...

1) What is the advantage of the IM-shield and P2P-shield over only having File-shield?
2) Does the IM-shield and P2P-shield use much resources (CPU and RAM)?
3) Does the IM-shield and P2P-shield slow down Vuze and Trillian, or?
4) What is the real danger if I disable the IM-shield and P2P-shield?

ArtemisF0wl · « **Reply #1 on:** March 21, 2011, 12:35:26 AM »

Quote from: igor on March 20, 2011, 05:38:57 PM

The File System Shield doesn't scan "everything" - unless you change some of the settings.

But yes, these two shields (and IM Shield as well) are very similar. However, since P2P and IM Shields target specific programs (or more precisely, folders/files), they can use higher sensitivity for the files they scan - scanning any type of file, unpacking all the archives. If you set the same sensitivity (scanning all files, unpacking all the archives) for the File System Shield, it would probably kill you system during heavier file operations.

So, you can imagine P2P and IM Shields as special configurations of File System Shield for specific folders.

Lars-Erik · « **Reply #2 on:** March 21, 2011, 12:42:51 AM »

OK. So you are saying that I could as an example set not to check packer in the File-shield, and then set higher sensitivity and check all packers with IM- and P2P-shields (and maybe Mail- and Web-shield too).

To do a deeper scan of files coming from IM, P2P, Mail and Web (that is the highest risks) and just a normal quick scan in the regular file-shield (only risk then beeing files from CD and USB-disks)?

But if I have set the File-shield to the same high level as IM and P2P (I have it like this now, and except from large delay when copying "packed" EXE files it works ok) then having IM and P2P enabled is just wasting RAM and CPU? Or doen't these shields use any extra RAM (are they in the same "file")?

DavidR · « **Reply #3 on:** March 21, 2011, 01:29:22 AM »

The file shield doesn't check packers by default, other than those which are self-extracting and droppers, e.g. the three that are checked at the top of the list.

Lars-Erik · « **Reply #4 on:** March 21, 2011, 02:48:39 AM »

I know. But I have the "all packers" enabled for the file-shield.
And that works OK. Can I then save some CPU/RAM by not using the IM and P2P shield?
And is that then as safe (because the file-shield is set as "safe" as they normally are)?

DavidR · « **Reply #5 on:** March 21, 2011, 03:00:09 AM »

I suspect that you wouldn't see any appreciable difference in RAM more likely a difference in CPU, but since you already have the file system shield (FSS) in effective paranoid mode, that too is likely to be negligible.

There really is little benefit in scanning the other archives using the FSS. Archive (zip, rar, etc.) files are by their nature are inert, you need to extract the files and then you have to run them to be a threat. Long before that happens avast's File System Shield should have scanned them and before an executable is run that is scanned.

The whole point of using the IM and P2p Shields is to intercept the traffic and scan it before anything is saved on your system. If malware is found then the connection for that item/element would be dropped, preventing it getting on your system. Prevention is a better course of action than cure, e.g. trying to remove something after it is on your system.

Lars-Erik · « **Reply #6 on:** March 21, 2011, 03:22:46 AM »

So a setting where File-shield only scans packed EXE-files, and not the whole file either,
and the other shields (mail, im, p2p) scans for all packers AND scan the whole file, would be best?

What about the web-shield. It has only one setting. So if one sets that to scan the whole file (to be sure) it would do that with all files (html, xml, images) and not only on exe and zip files etc. Would have been nice to be able to choose what files to scan the whole file and what to scan faster.

That should be nice for all shields really. Instead of the "scan whole file" there could be a "scan whole file for these file-types" (and choices could be a predefined list, or you could enter your own).

DavidR · « **Reply #7 on:** March 21, 2011, 03:40:31 AM »

My feelings are that the default settings in avast provide the best balance between protection and performance.

The IM and P2P aren't scanning whole file in effect as they are scanning the traffic flow and may well detect malware before a complete file is downloaded.

Lars-Erik · « **Reply #8 on:** March 21, 2011, 10:15:38 PM »

With Trillian the only thing I can see the IM.shield is doing is that it scans the XML and INI files in the Trillan directory over and over (haven't seen it scanning any other files yet :-)

DBone · « **Reply #9 on:** March 21, 2011, 10:23:04 PM »

Quote from: DavidR on March 21, 2011, 03:40:31 AM

My feelings are that the default settings in avast provide the best balance between protection and performance.

The IM and P2P aren't scanning whole file in effect as they are scanning the traffic flow and may well detect malware before a complete file is downloaded.

David, if you didn't install the P2P or IM shields, would you change any settings? If yes, what settings, in which shields would you change?

Thanks in advance

DavidR · « **Reply #10 on:** March 21, 2011, 11:16:41 PM »

I don't use IM or P2P applications at all so I don't have these shields installed.

DBone · « **Reply #11 on:** March 21, 2011, 11:41:25 PM »

Did you make any changes to the settings of the file shield or behavioral shield?

Nesivos · « **Reply #12 on:** March 21, 2011, 11:53:22 PM »

FS checks files when they

1. Execute
2. Write
3. Open
4. Or are attached to something

P2P shield checks files as they are being downloaded by those P2P programs that you check.

When a file is downloaded by a P2P program the file is downloaded in parts.

The malicious code can be put in any one of those parts or more than one of those parts.

Is is usually put in the last part that downloads during the seeding of the file.

The P2P shield will scan the downloaded file parts during the download and abort the download when it finds malicious code.

The FS only scans files as indicated above and not during downloading.

At least that is my understanding.

Hermite15 · « **Reply #13 on:** March 21, 2011, 11:57:06 PM »

Quote from: Lars-Erik on March 21, 2011, 10:15:38 PM

With Trillian the only thing I can see the IM.shield is doing is that it scans the XML and INI files in the Trillan directory over and over (haven't seen it scanning any other files yet :-)

yeah, I've seen the same with Skype

... transferred files being scanned by the file shield anyway, and just by the file shield, excluding any specific interference of the IM shields at sensitivity level, like it's been suggested by an Avast member in another thread.

edit: gotta check the scanning of transferred files, not a hundred percent sure anymore...

Author Topic: Why IM-shield and P2P-shield (Read 5964 times)

Lars-Erik

Why IM-shield and P2P-shield

ArtemisF0wl

Re: Why IM-shield and P2P-shield

Lars-Erik

Re: Why IM-shield and P2P-shield

DavidR

Re: Why IM-shield and P2P-shield

Lars-Erik

Re: Why IM-shield and P2P-shield

DavidR

Re: Why IM-shield and P2P-shield

Lars-Erik

Re: Why IM-shield and P2P-shield

DavidR

Re: Why IM-shield and P2P-shield

Lars-Erik

Re: Why IM-shield and P2P-shield

DBone

Re: Why IM-shield and P2P-shield

DavidR

Re: Why IM-shield and P2P-shield

DBone

Re: Why IM-shield and P2P-shield

Nesivos

Re: Why IM-shield and P2P-shield

Hermite15

Re: Why IM-shield and P2P-shield