SMART SCAN VS IN-DEPTH SCAN: EFFECTS OF ADVANCED SETUP SETTINGS The following statements may be obvious to everyone else --- although I cannot find any substantive equivalents in either the NOD32 v4.2 Help or User Guide --- but I did not know them until a few days ago. In case others also may not know them, I am posting them here. "0) The sole function of this [Smart Optimization] option is to improve scanning speed" [without reducing "efficiency," which could be described as "efficient security" or simply as "security".] "1) Running any On-Demand scan will not change any Advanced Setup Tree settings. "2) Running any On-Demand scan will follow all (i.e. not ignore any) relevant (default or user-selected) Advanced Setup Tree settings. "Both of these statements apply regardless whether the scan is a Smart [optimization] scan or a Custom scan (based on an In-Depth profile, a Context Menu profile, or a User-created-profile), and regardless whether the scan profile uses only Default-settings or uses a mix of Default and User-selected settings (selected from within the Advanced Setup Tree)." ---------------------------------------------------------------- NOTE: I was able to discover and establish these statements' accuracy only with enormous help from ESET's Home support services, by a single correspondent. (Case #686348 - "Other Download/Installation issue - Download/installation". Our email correspondence, 22-30 April 2011, totals approximately 5615 words.) I have posted the statements above with his permission. [His message to me of Friday 29 April 2011, 10:22 am PDT (GMT-07:00)] Statement 0) above is extracted from two messages to me from my ESET Home support correspondent: "I [my ESET Home support correspondent] have been assured that checking the Smart Optimization option has no affect on any of your other user-defined options. The sole function of this option is to improve scanning speed via the mechanism I briefly explained in the last email. Though we cannot disclose the exact mechanisms used, as they are part of our core intellectual property and also change frequently, rest assured that there is no additional security risk associated with using Smart Optimization." [Tuesday 26 April 2011, 09:18 am PDT (GMT-07:00)] The "mechanism I briefly explained in the last email" was: "One example of a behavior that occurs when running under smart optimization is the ability to recognize when a file was scanned last, and if no changes were made to the file or the virus signature database, the scanning engine can skip it, increasing overall scan speed." [Saturday 23 April 2011, 11:22 am PDT (GMT-07:00)] Statements 1) and 2), and the following "Both" paragraph, were drafted by me, but have been read and approved by my ESET Home support correspondent, who showed at least some of our correspondence to other support personnel and to "our product team as well as any other appropriate parties involved with the documentation and support of our product." [Saturday 30 April 2011, 10:38:19 am PDT (GMT-0700)] USES OF THIS INFORMATION As a result of statements 0), 1), and 2), I been able to set up my NOD32 v220.127.116.11 so that I have heightened the security in my Advanced Setup Tree settings. Also, I can choose, from the Graphic User Interface (GUI) Window, either a Smart scan or an In-Depth scan (each with the same heightened security settings). I choose Smart Scan if I am in a hurry, or In-Depth Scan if I want to scan everything on the computer (which alerts me to any files that may have been corrupted even if not modified or created recently). My new setup does not fully follow ESET's recommendations. At the end of this message, see ESET'S APPROACH. BACKGROUND In 2005, when I first started using ESET's NOD32 (then version 2.x), all of my On-Demand scans were "In Depth" because that option provided the most thorough scan. With NOD32 v4.x I have continued using only "In Depth" On-Demand scans (rather than Smart scans), after first going through every setting in the Advanced Setup Tree to heighten security, for example by Checking (i.e. adding) settings for Heuristics, Advanced Heuristics, Unsafe and Unwanted applications, and Email. Some of those new settings generated warnings that they would slow the computer down, but that did not concern me because I On-Demand scan only at night when I am asleep and my computer is not doing anything else. (Advanced Heuristics warned also that it could generate false positives, but since 2005 I can recall having only one of those, which was for a very old file compressed by WordPerfect's no-longer-used Envoy utility.) But this April, when I upgraded NOD32 4.0.474 to 18.104.22.168, I decided that I ought to find out exactly what a Smart [optimization] scan did, and whether I could customize it as I had customized In-Depth scans. On the Wilders NOD32 v4 forum, I started a thread ("Questions about NOD32 AV version 22.214.171.124 setup" http://www.wilderssecurity.com/showthread.php?t=296937) with a bunch of questions. I got excellent answers answers to two of my questions, and then the thread became inactive. So I contacted ESET Home support, and got the answers I needed --- which indirectly answered many of my unanswered questions in the inactive thread. As described above, I went through every setting in the Advanced Setup Tree to heighten security, but this time, for On-Demand computer scan I also modified each of its three basic profiles --- Smart scan, In-Depth Scan, and Context Menu scan --- to heighten security by Checking (i.e. adding) settings for Heuristics, Advanced Heuristics, Unsafe and Unwanted applications, and Email files. My Smart scan and In-Depth scan profiles are identical, except that Enable Smart Optimization is Checked in Smart scan but not in In-Depth scan. [The Email files settings are in the On-Demand computer scan Smart, In-Depth, and Contest Menu profiles, ThreatSense engine parameter setup > Objects. I was surprised that Smart scan and In-Depth (and also Context Menu) scan profiles do not include Email files by default. But that may be caused by my using Mozilla SeaMonkey's Browser and Email package, rather than Mozilla Firefox and Thunderbird. Nevertheless, because my ISP uses POP3 rather than IMAP, and I have enabled Email files anywhere it is listed in the Advanced Setup Tree, my email is checked when downloaded, and in On-Demand scans.] ESET'S APPROACH According to my ESET Home support correspondent: "Typically we do not recommend that users change the profiles associated with Smart Scan or In-Depth Scan [presumably because their defaults might be needed as the basis for future user-created profiles], and that they only modify the 'My Profile' scan, or create new profiles from within Advanced Setup. By doing [so] you could create any number of variations of your preferred scan settings." [Tuesday 26 April 2011, 04:17 pm PDT (GMT-07:00)] (Note that this statement does not mention Context Menu profile settings.) But because I have no need for additional user-created profiles, I decided not to create new profiles (such as "My Smart Scan" and "My In-Depth Scan"), but instead to customize the already available profiles (Smart scan, In-Depth scan, and Context Menu scan). My customizations only select additional settings, and do not delete any ESET default settings (other than not-checking "Enable Smart optimization" in the In-Depth profile). [In my Context Menu profile, "Enable Smart optimization" is not checked, which is ESET's default.] If I ever did need to follow ESET's recommendation, returning the Smart Scan and In-Depth Scan profiles to their defaults would not be difficult: In the Advanced Setup Tree, one click restores a profile's defaults. Incidentally, for User-created profiles, see the NOD32 v4.2 User Guide, page 17, section 126.96.36.199. The reference to section 4.1.6 should be to section 4.1.7. I hope this information is of some use to others. It certainly has been useful to me. Of course I would welcome any comments or suggestions. Roger Folsom ________________________________________________________________ P.S. In the Advanced Setup Tree, Real-Time file system protection, Advanced setup > Additional ThreatSense parameters for executed files > Advanced heuristics on executing files from removable media > Exceptions, includes the following introduction: "This option allows you to exclude objects from being scanned by advanced heuristics on file execution. "Advanced heuristics settings for hard drives will be applied to selected devices." To me, those two sentences are contradictory (because the first sentence says "exclude" and the second sentence says "applied"), and if I did not want Advanced Heuristics to apply to something --- that is, if I wanted something to be excluded from Advanced Heuristics --- I couldn't figure out whether I should check it, or leave it unchecked. My ESET Home support correspondent clarified that. To exclude an object from being scanned by advanced heuristics on file execution, check its box.