Kaspersky Scan Times! (How Long?)

You forget that the signature databases (the detections) are updated all the time. A file received on Monday could be classified clean, because the av is only updated on Wednesday

Of course, the file scanner should pick it up after Wednesday when you access the file, but a full system scan will show the file infected without you having to access it.

This has nothing to do with the brand of scanner used, it's just part of the way av detection works; ie relying on the recognition of malware by analyzing it / adding detection for it.

 

Yes. This depends on your AV, its RTM settings and the age of your computer.

A lot of AV running guards can grind a system to a halt when cranked up to the maximum setting. Setting RTM's to scan ALL FILES in a number of AV's can slow everything down, particularly on an older computer. Therefore a number of users may select the best option for protection and performance, which maybe selecting a "smart" setting of scanning only new and changed files or dropping the scan all file setting in the running Guard to one by extensions.

Dr Web's Real-time SpIderGuard for example, can only be run in Smart Mode on the majority of computers. The NT SpiderGuard when in 'smart-mode' does not check files when they are executed. In other than "smart" mode all files will be scanned. However, use "run and open" and "create and write" instead of smart mode, and it will take for ever for every program to open. That's the reason why smart mode is the default setting in Spiderguard.

But one way round this is to make sure you scan EVERY new file coming in to your system manually and back this up with regular scanning using FULL settings of the Dr Web on-demand scanner. VBA32 also has this "smart" RTM setting but again they advise to run regular on-demand scans.

Further, some people would like to know whether they have malware in archives on their system. Again a number of AV's do not have archive scanning as an option in their RTM or it is not the default setting. Therefore any malware here will be only be picked up by the Full scan of the on-demand scanner (or by the RTM when the archive is opened).

Personally, even on new machines, I am always looking for the lightest RTM setting and therefore I routinely always carry out regular ALL file on-demand scans just in case anything has passed through.

 

Your scenario above... would this specific scenario be bad with the "Scan new and changed files only" option checked?

Let's say you went to execute that file on Wednesday. It wouldn't be scanned and would be capable of doing it's harm, would it not?

I know that Kaspersky picks random time frames as to when to scan that file again, but your scenario refers to only a 2 day time frame and would probably make using the "Scan new and changed files only" option bad.

I like the Kaspersky engine and options (using AVS) but after thinking about this scenario above I may just not use that specific option anymore.

 

Interesting clarifications - thanks!

 

If you do regular on-demand scans on standard level or high level setting, it should be safe. I've always kept the recommended settings.

 

but if the file that had been scanned before is now infected it must of changed so it would get scanned again hence the name "scan new and changed files only" so it must of changed to be infected so it will be detected with the new signitures.
kaspersky wouldnt put the technlogy in if it missed malware because the option is on.
and anyway its a default option for at least file av
lodore

 

But if the file was already infected, and slipped through before the definitions were updated, it wouldn't have changed, so wouldn't be scanned again, and would only be detected when executed, or in a system scan, yes? I think I get it now.

 

hmm i didnt think of that.
dont you think kaspersky would of thought of that?
lodore

 

Let's look at this situation:
You receive a new worm which is not detected by KAV. When it scans the worm it marks it as clean and calculates the checksum. After 5 hours KAV updates arrive with signature for that specific worm. Now the worm is not scanned again because it is not new and it is not modified. In this situation the worm will remain on your PC and you will stay infected untill KAV decides to scan that file (worm) again.

 

I don't really see how they could cover that particular base, but they do get definitions out very quickly, and one would presumably need to be extremely unlucky to get hold of a brand new virus, before the AV vendors get wind of it, and for it also to get past the HIPS detection. This does, however, quantify the need for occasional on-demand system scans, but I still feel that a mainstream, generally 'safe' surfer, needn't perform a full scan more than once every few months.

 

Presumably the worm would be detected as soon as it was executed, after the new signatures arrived. Also, if the worm was active before the new signatures arrived, the PAD and Firewall should detect any suspicious activity.

 

Does this mean that KAV real-time monitor scanes every file, everytime it executes?

BTW, I mentioned worm in this example so it could be any kind of malware.

 

If you have File Scanning switched on, I believe that's the general idea. My understanding is that it's this process that can slow some computers down, which is why we discuss which product is quickest, etc.

 

Up to you, it has several options.

 

Not using Kaspersky but just curious , what is the difference between Smart Mode and the others ?

 

ROTFL

 

Take a look here at lucianbara's post.

 

Thank you , Blackcat !