"New and changed files only" - Why not?

Hi. I have been using the latest KAV2006 beta for a few days and have a question. Actually, I suppose the question applies to any antivirus with this option.

Is there some reason why I would not want to use the option (in several places) to scan only new and changed files? Is there less protection this way?

KAV offers this and I don't know what other programs do. I have NOD on a laptop but cannot remember if it has the option only to scan new and changed files. If the protection is the same, this seems like a great time saver.

Thanks.

 

If your system already has malware and not in KAV's AV bases and then is later added to the bases it will not be detected if this option.

Leave it enabled from realtime and disabled for manual scans (like default).

 

But it will - Every AV will check all files again once the defs are updated.

 

Not with KAV 6 beta. A database of previously checked files is maintained. If the option to only scan new or changed files is selected, only the files not in this database (new) or changed from the database timestamp (changed) will be scanned.

As stated previously, the safest way is to maintain the default settings.

 

If that's true, they dropped the ball right there.

 

Of course on demand scans don't use this option by default (startup scans etc). It can also be disabled.
I don't think its bad to be like this by default.

 

1. The Real-time Monitor of several AV's including KAV 2006, VBA32 and Dr Web all have the possibility of scanning only new and changed files. In particular, SpIDerGuard of Dr Web in Smart-mode has for years only processed a restricted number of files. The main advantage of only processing new/changed files is on performance where there is very little effect of this setting. Hence very lightweight RTM's; ideal for the older computer or gamers.

However, there are drawbacks. It works fine until you miss a virus definitions database update, or turn the Running Guard off for some time, so the system gets infected.

Dr Web users were encouraged to carry out Regular on-demand scanning to cover this drawback and most users reported no problems with this setting. An excellent balance between performance and protection.

Further, in the new version of Dr Web, this potential disadvantage has been covered by the Enhanced protection mode of SpIDerGuard where any object not scanned is sent to a background scanning engine.

I use Smart-mode with SpIDerGuard of Dr Web and the "process only new file" settings with the RTM of VBA32 but supplement these settings with regular on-demand all-file scans. So far so good.

If installed on a clean system, with regular on-demand scans on full settings then this is a good balance between protection and performance. But I would not recommend this setting for everybody, particularly newbies.

2. Again with just on-demand scanning I would still carry out regular all-file checking.

Overall, the new and changed file setting is a good choice in the RTM of AV's, if the drawbacks are known and if supplemented by regular full on-demand scanning. But even with on-demand scanning, all-file scanning is important to cover any holes in the RTM.

 

Interesting info. I have gone back and looked at the settings in the newest beta of KAV. It looks like scanning of new and changed files is the default setting on what they call "file anti-virus." I think this is the part of the system which checks files upon access.

All of the other scan settings (scan, scan critical areas, scan my computer, startup scan) default to checking all files, not just the new or changed ones. It seems like this jives with what is a good setup according to the information given by other posters above.

In the beta KAV 2006, it looks like only the startup scan has the option to be run after every update.

 

Well NOD has this option too for it's on-access scanner, but it will re-scan all those files when the defs has been updated.
I really can't see any good reason why an AV should ignore already scanned files just because they haven't changed..
Who knows what nasties could be hiding in those files?

 

For speed reasons.

Of course the malware will be detected in an on demand/ startup scan providing the signitures are present. These are the default settings.

 

The point is those files x y z could already be infected, but weren't detected at that time with the current DB ... Detection for this malware is then added at a later date ... etc.

 

You can't get rid of the constantly increasing scan time or better the total scan time of your scanners.

 

Suppose file abc.exe is infected with an undiscovered virus X.
Your scanner won't find virus X and won't report abc.exe as an infected file.
Two days later the definition-database gets an updating of virus X.
The file abc.exe is still the same and if you don't scan it, it still would be infected.
If you scan it, abc.exe will be reported as an infected file.
So dog is right IMO.

 

I agree, sounds like nit picking to me, when really it is a matter of choice by the user how to scan with AV.

Suppose a frog had wings..... He would not bump his butt when he jumped.

 

If the frog makes the wrong choice he ends up on a menu or at least his legs do.

 

"IF", the biggest word in the dictionary.