7.0.1407 - File System Shield activity & FSS exclusions

[Asyn]

What OS are you using, as both of us are using XP Pro ?

Just had a look, no problems here.

[Tetsuo]

Sorry if you have already clarified this but during the "FSS constant scan" what's the behavior of the tray icon? is it spinning?
I'm asking because I have to check my father's laptop (XP Pro SP3).

[DJBone]

What OS are you using, as both of us are using XP Pro ?

I have the same problem on my WinXP Home SP3 Laptop. FSS scans the  same file (the UI of my WLAN driver) again and again...

DJBone

[DavidR]

Sorry if you have already clarified this but during the "FSS constant scan" what's the behavior of the tray icon? is it spinning?
I'm asking because I have to check my father's laptop (XP Pro SP3).

I didn't see any appreciably CPU activity or constant rotation of the avast tray icon (you might just see a single rotation for each blip). It is just a constant drip, drip, drip, as the scanned count constantly creeps up. Now as 13694/0 14037/0 whilst just posting this. My system has only been up for about 90 minutes.

[iroc9555]

After excluding a dozen processes or so from FSS and including them to Behavior shield:

C:\Archivos de programa\Creative\VoiceCenter\AndreaVC.exe
C:\Archivos de programa\Digital Line Detect\DLG.EXE
C:\Archivos de programa\HP\Digital Imaging\bin\hpqste08.exe
C:\Archivos de programa\Logitech\Logitech WebCam Software\LWS.exe
C:\Archivos de programa\Intel\Intel Matrix Storage Manager\IAANTMON.EXE
C:\Archivos de programa\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Archivos de programa\TrippLite\PowerAlert\console\pastatus.exe
C:\Archivos de programa\TrippLite\PowerAlert\engine\pal.exe
C:\Archivos de programa\UPHClean\uphclean.exe

C:\Archivos de programa\Archivos comunes\Creative Labs Shared\Service\CREATIVELICENSING.EXE
C:\Archivos de programa\Archivos comunes\LogiShrd\LQCVFX\COCIMANAGER.EXE
C:\Archivos de programa\Archivos comunes\LogiShrd\LVMVFM\LVPRCSRV.EXE

C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001.dir.0000
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001.dir.0000\~df394b.tmp
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001.dir.0000\~efe2.tmp

C:\WINDOWS\STSYSTRA.EXE

C:\WINDOWS\system32\CTMBHA.dll
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\SYSTEM32\DLA\DLACTRLW.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE

 I got stuck with

C:\Documents and Settings\Hernan \Local configuration\Temp\clclean.0001.dir.0000

Did not want to go away. However; This morning fooling around with the Clound Services and streaming updates, I disabled it rebooted and enabled it again and rebooted. Did not get connection stablished or the folder for the steaming updates in Avast! def file that I was expecting to accomplish with it, but I got FSS to work the right way . Avast! icon is not spinning like crazy any more and last file scanned changes accordingly. Now I have to take back all the exclutions in FSS and see what happens.

@ Tetsou

Sorry if you have already clarified this but during the "FSS constant scan" what's the behavior of the tray icon? is it spinning?
I'm asking because I have to check my father's laptop (XP Pro SP3).

Yes, The icon is constantly spinning if the comp is at idle. You can also check your CPU for spikes. Mine was all the time jumpping to 40% o 60% when normally it did not pass 15%. Also take a look at your FSS. See my screenshots. One is FSS working like crazy the other is FSS working like it is supposed to. Guess which is which ?

@ DavidR

I had some cpu spikes as explain above

[bob3160]

Almost looks like a Ccleaner temp file (Undo file) that's being scanned.
I don't have the problem but don't have Ccleaner installed either.

[DavidR]

@ DavidR

I had some cpu spikes as explain above

Yes, but my instance isn't anywhere near as severe as yours was, so my CPU wasn't an issue and the tray icon as mentioned would generally rotate once.

[Tetsuo]

mmmh... thanks for the info, guys.

[iroc9555]

@ Bob

Almost looks like a Ccleaner temp file (Undo file) that's being scanned.
I don't have the problem but don't have Ccleaner installed either.

Thank you for your idea, but no, it is not a CCleaner file. It is a file for SoundBlaster Audigy integrated audio.

Well I started to delete files from FSS exclusion list and it did not work. Avast is back like crazy scanning all those files again and again. 

[Gopher John]

Sorry if you have already clarified this but during the "FSS constant scan" what's the behavior of the tray icon? is it spinning?
I'm asking because I have to check my father's laptop (XP Pro SP3).

I didn't see any appreciably CPU activity or constant rotation of the avast tray icon (you might just see a single rotation for each blip). It is just a constant drip, drip, drip, as the scanned count constantly creeps up. Now as 13694/0 14037/0 whilst just posting this. My system has only been up for about 90 minutes.

My system has been up a little over 2.5 hours and the FSS shows 2130/0.  I have *\firefox\profiles\*sessionstore*.js as an exclusion on write ( due to a recommendation from someone ).  You might see if that will help.  At the time I entered that exclusion in the distant past, it did help a particular situation but it might not even be necessary now.  The sad thing is that I don't remember the details, now.

I don't have WinPatrol installed.  Is it possible that it is touching some file and triggering the FSS on it?  I'm not familiar with that program, just that it is highly recommended by many.

[DavidR]

The other thing is that many of the files that are being scanned, shouldn't be being scanned in any case under the default FSS settings.

Take some of those listed by iroc9555:
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001.dir.0000
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001.dir.0000\~df394b.tmp
C:\Documents and Settings\Hernan Perez\Configuración local\Temp\clclean.0001.dir.0000\~efe2.tmp

These aren't executables or dlls, so why the FSS shield would be even scanning them outside of the issue being covered here, is beyond me.

I have seen several such files being scanned that aren't .exe or .dll, etc.

[DavidR]

<snip quotes>
My system has been up a little over 2.5 hours and the FSS shows 2130/0.  I have *\firefox\profiles\*sessionstore*.js as an exclusion on write ( due to a recommendation from someone ).  You might see if that will help.  At the time I entered that exclusion in the distant past, it did help a particular situation but it might not even be necessary now.  The sad thing is that I don't remember the details, now.

I don't have WinPatrol installed.  Is it possible that it is touching some file and triggering the FSS on it?  I'm not familiar with that program, just that it is highly recommended by many.

I have had the *\firefox\profiles\*sessionstore*.js exclusions for absolutely ages, in fact I believe it is now a default exclusion.

WinPatrol link avast is meant to be on-access so something would have to make a system change, etc. for it do reach out to check.

[reesd]

I am seeing the same thing on XP as I reported at http://forum.avast.com/index.php?topic=94168.msg749722.

I am seeing processlasso.exe every second, and  am seeing KiwiLogViewer.exe and notepad++.exe every few seconds.

d

[DavidR]

Update:

I appear to have many, more files in this repetitive scan cycle.

Switched OK files on in the FSS Report file settings, Stopped FSS to enable changed setting, Started FSS. Left on for 3 minutes, unchecked the OK files in the Report file, Stop and Start FSS. In that 3 and a bit minutes over 900 files were scanned.

25/02/2012 17:54:31   C:\PROGRAM FILES\ROCKETDOCK\ROCKETDOCK.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\LOGITECH\SETPOINT\SETPOINT.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\LOGITECH\SETPOINT\SETPOINT.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\JAVA\JRE7\BIN\JQS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\JAVA\JRE7\BIN\JQS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\POWERQUEST\DRIVE IMAGE 7.0\AGENT\PQV2ISVC.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\POWERQUEST\DRIVE IMAGE 7.0\AGENT\PQV2ISVC.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\CAPS LOCK CHANGER\CAPS_LOCK_CHANGER.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\CAPS LOCK CHANGER\CAPS_LOCK_CHANGER.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\BELKIN BULLDOG PLUS\MUPS.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGIT32.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGIT32.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\TSCHELP.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\TSCHELP.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGPRIV.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGPRIV.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGITEDITOR.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGITEDITOR.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\JGSOFT\EDITPADLITE\EDITPADLITE7.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\JGSOFT\EDITPADLITE\EDITPADLITE7.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\7-ZIP\7ZFM.EXE  is OK
25/02/2012 17:54:31   C:\PROGRAM FILES\7-ZIP\7ZFM.EXE  is OK
25/02/2012 17:54:33   C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQSmeCOM.dll  is OK
25/02/2012 17:54:33   C:\Program Files\PowerQuest\Drive Image 7.0\Agent\gwlangEN.dll  is OK
25/02/2012 17:54:34   C:\WINDOWS\system32\gearaspi.dll  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\ROCKETDOCK\ROCKETDOCK.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\LOGITECH\SETPOINT\SETPOINT.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\LOGITECH\SETPOINT\SETPOINT.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\COMMON FILES\LOGISHRD\KHAL2\KHALMNPR.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\YAHOO!\WIDGETS\YAHOOWIDGETS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\JAVA\JRE7\BIN\JQS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\JAVA\JRE7\BIN\JQS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAMSERVICE.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\POWERQUEST\DRIVE IMAGE 7.0\AGENT\PQV2ISVC.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\POWERQUEST\DRIVE IMAGE 7.0\AGENT\PQV2ISVC.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\CAPS LOCK CHANGER\CAPS_LOCK_CHANGER.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\CAPS LOCK CHANGER\CAPS_LOCK_CHANGER.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\BELKIN BULLDOG PLUS\MUPS.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGIT32.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGIT32.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\TSCHELP.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\TSCHELP.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGPRIV.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGPRIV.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGITEDITOR.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\TECHSMITH\SNAGIT 10\SNAGITEDITOR.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\JGSOFT\EDITPADLITE\EDITPADLITE7.EXE  is OK
25/02/2012 17:54:41   C:\PROGRAM FILES\JGSOFT\EDITPADLITE\EDITPADLITE7.EXE  is OK
25/02/2012 17:54:42   C:\PROGRAM FILES\7-ZIP\7ZFM.EXE  is OK
25/02/2012 17:54:42   C:\PROGRAM FILES\7-ZIP\7ZFM.EXE  is OK

I'm far from happy as this was never how it was, and there really shouldn't be a need for a user to go to these lengths, analysis & exclusion of tens of files. When the Transient cache is meant to cater for this repetitive scanning of the same file, until the user reboots, a virus definitions update or the file actually changes.

So it is broken, I can think of no other words to better describe is not working as it should.

For me most of these files although loaded would be pretty dormant.

[spg SCOTT]

David, I think I have managed to replicate this to some extent.

I think there is a settings within FSS settings that causes this. I turned them all pretty much all the way up on every page and I saw what you saw in the report file.

I will test further, to see if I can pin down which one it is.

A small portion of what I see...

Code: [Select]

25/02/2012 18:28:30 C:\Program Files\Rainmeter\Rainmeter.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files\Rainmeter\Rainmeter.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll [+] is OK
25/02/2012 18:28:30 C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [+] is OK
25/02/2012 18:28:30 C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [+] is OK
25/02/2012 18:28:33 C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [+] is OK
25/02/2012 18:28:33 C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [+] is OK
etc.