Again, maybe I'm missing something here, but surely an archived file that's already been scanned is not a threat? I just downloaded the SeaMonkey 2.9 installer (in SeaMonkey) & MSE performed its standard scan (it shows scanning in Download Statusbar) but I have the archive files deselected. If it's been scanned at least once, surely it can't be a viable threat?
It doesn't matter either it's a .zip, .rar archive or just a plain .exe file. For example, last night, I downloaded Dropbox 1.2.40 [latest version, from MajorGeeks]. It's nearly a 20 MB .exe file [not .zip or .rar] and, I noticed a performance hit on Firefox 12.0 [my default browser] when the downloaded file was sent by FF to MSE v4 for scanning. FF froze and turned unresponsive for 45sec. to about a minute. Afterwards, when I opened the Download folder on my desktop, containing just that downloaded .exe file, again MSE wouldn't let the file completely load when hovering the mouse pointer over it. It's not just a .zip or .rar files problem, it's whenever you interact with any .exe file. Carlos
OK, I understand now. I can understand scanning a downloading file but it seems odd to still actively scan or interact with an archived file. Like I said earlier though, this problem isn't just peculiar to MSE.
While I can't find a reference to confirm this atm, as far as I know MSE does not keep a list of already scanned files (like many popular AVs do), it always scans on file access. Maybe someone can confirm (or refute) this. This was the main reason I uninstalled MSE a couple of months ago.
There's a fix for that. (This still works with MSE4) http://downloadsquad.switched.com/2...t-security-essentials-check-for-updates-more/ Important points: It Works. http://www.westcoastlabs.com/realTimeTesting/article/?articleID=1 They kept it in beta long enough to fix most of the problems. (Some don't) I never see a pop-up trying to up-sell me to a paid version. I don't have to worry about re-registering every few months or it stops working. I get fewer calls from my users because of false positives.
Seer, You hit the nail in the head. That is true and it's the reason why MSE causes this "delay" when opening a folder containing .exe files. As many popular AVs do, MSE does NOT keep a list of the .exe files it already scanned. Now, my question would be: Is that so difficult or costly to implement [file caching] so the AV "recognizes" the .exe files it already scanned and thus, doesn't have to re-scan the same files over again and again [unless they have been changed, of course] ? Carlos
I wouldnt of thought it would be hard to implement. they could also add a whitelist of known files to never scan like other vendors do which would help to solve the slow down issue. additionally archive scanning in realtime shouldnt be needed. once an archive is extracted the realtime av should then detect the file and deal with the threat.
I can see how implementing caching puts a fair amount of stress on resources (CPU/RAM), so in a couple of months we'll see a bloated MSE (caching implemented), then things will slowly iron out, and in a year or two MSE will be a true competitor. As it is now, when compared with major freeware players, I am afraid that MSE looks rather unsophisticated. To me, at least.
I suppose it's to keep MSE as light as possible. Like I've said before, there's always a trade-off. I've used other suites (the bloaty ones ) that acted similarly with opening folders of .exe files though.
I would think that it would have the opposite effect. Maybe they don't keep a list because they are worried that if they miss something they might catch it the next time around.
If you have a huge number of pictures, videos and/or large files that you keep on your C: drive and you do not want MSE to continually rescan them on a FULL scan, consider partitioning your C: drive and moving the files there. That way you can exclude them from the full scan using the following: Settings Excluded files and locations (enter X:\ the partition name as the location). I have a partition that I do not scan and it works for me. Once the stuff has been scanned once I move it over. You can still access your stuff and your scans will only ever be on your C:\ partition.
I hope I'm not mistaken, but I believe that, not so long ago, I read an article where it was mentioned that a few security solution do keep a white-list, based on digital signatures. If it matches one, it won't scan the file. Uh oh... I also hope I'm not mistaken, but I also think I've read... not sure where... that malware authors also use stolen digital signatures... So, on one hand, we got something that rescans, but has no white-list, and on the other hand, others do have a white-list, which could also include digital signatures. Which one to take? White-listing by hash would take longer, so it would make sense to roll-out digital signatures white lists. Between the devil and the deep blue sea, I suppose.
Actually, MSE doesn't always rescan files. Try this, perform a quick scan. After that, perform the quick scan again. You will see that the number of files scan will decrease and the time will be faster.
And you think others like avast! or Kaspersky who cache a lot of stuff won't detect it if detection is added later? Lol. Caching mechanisms are designed to work both ways. High performance with no compromise.
skudo12 Thats a good observation & could explain a lot I wonder if there is a log to compare scans to find out what is different
I have thought about that issue also. I would assume the file would be scanned and if the content of the file is flagged as malicous that would overwrite the digital signature. I would like to hear what an expert from a company that implements such a system thou. As for cache systems they are cleared when an update is finished and also during reboot.
With Kaspersky only some parts of the cache are cleared on update and reboot. If the cache completely cleared every 1-2 hrs (update schedule) then it wouldn't be of much use, would it? And no, this doesn't really make it less secure because there's a proven mechanism/algorithm developed over several years to facilitate it. MSE doesn't need such an advanced algorithm because the database update are a lot less frequent, but it does need a caching feature (I'm surprised they don't have it as pretty much all other vendors do, in some form or another)
MSE will cache scanned files but the cache will be cleared on reboot (as lodore posted). I read somewhere that you need to uncheck "MS Antimalware" and "MS Management Console" in CCleaner Apllication tab as this can also have an effect on it.
I think I read about the reason for this on Microsoft Answers once. I'll try & find the thread if I can. It seemed a plausible explanation though. Regardless of what certain people say, there has been quite a lot of thought & effort gone into designing MSE. I find it difficult to knock it, considering its free.
One of the things I noticed they improved was reenabling it faster. With version 1 and 2, if you disabled real-time protection, and they reenabled it, it would take a few seconds. They fixed that with version 4. It's almost instantaneous.
Yes, I've noticed that as well. It could be very useful to momentarily disable the realtime if you had to move a lot of .exe files around in system folders. I'm sure it wouldn't be much of a security problem.
The main question (to me) would be does it cache on-access scans, as this is where the resource impact would be most noticeable. I could care less if consequent on-demands are faster, there are other, much better scanners.
Some observations from a Windows XP SP3 virtual machine: Only the extracted file is detected (and quarantined) after copying a zip file from the host to the virtual machine, irreespective of the state of the "Scan archive files" setting. When "Scan archive files" is selected, a zip filed is detected (and quarantined) when downloaded from the internet (Internet Explorer 6). When "Scan archive files" is deselected only the extracted file is detected (and quarantined) from a zip file downloaded from the internet (Internet Explorer 6).
