3 Hour scan with Blackspear settings

Discussion in 'NOD32 version 2 Forum' started by mikkl, Jul 4, 2006.

Thread Status:
Not open for further replies.
  1. mikkl

    mikkl Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    12
    XPH-SP2, AMD 2k+, 768 Meg RAM, 35GB HD with 4GB free and less than 10% defragmented.

    Command line scan using the following settings: C:\ /ah /heur+ /cleanmode /delete /clean /quarantine /log+ /wrap+ /sound- /mapi- /all /exclude=*/mbx,*.bfm /scanboot+ /scanmbr+ /scanmem+ /mailbox- /arch+ /sfx+ /pack+ /adware /quit+

    Scan takes three hours to run. :( No viruses found. :)

    Using the same command line on an XPH-SP2, AMD 2600+, 512 Meg RAM, 50GB HD with 18GB free takes about one hour.

    Both machines have the swap file set to a different partition.

    The long scan is approximately 350,000 files while the quick scan is more than 400,000 files.

    Any ideas on what could be causing the differences in scan times? I like the protection, but three hours to scan 30GB is more than a bit too long.

    TIA,

    mikkl
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Just to name a few possibilities, maybe more archives... They take longer since they need to be unpacked - /arch+ /sfx+

    Were there any applications running on the machine that might have also kept the disk busy as well?

    Was there already another scan running in the background?

    Is NOD32 the only security app running?

    There are others...

    Cheers :)
     
    Last edited: Jul 4, 2006
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Try the follow switches instead:

    C:\ /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

    Let us know if that makes a difference.

    Cheers :D
     
  4. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    On top of the previous suggestions, what is the speed of the HD in the first PC (5400RPM, 7200RPM), have you tested to verify the drive has not begun to show signs of failure? Do you clean up your temp files frequently? 350K files is a heck of a lot for a 35GB HD. Even as effective as NOD is, a TON of tiny temp files is going to cause a heck of a slowdown. Either that or you have a crap ton of packaged files that are being unpacked.

    Benchmarks I'm comparing against:
    My laptop has 20GB of data on a 40GB HD. Running a copy of Kaspersky for Workstations (work laptop/av), and it takes approx 1Hr to run a scan and it pulls around 120K files after unpacks, etc.
    My desktop has two RAID arrays... one 320GB RAID 0 (23GB free) and one 160GB RAID 1 (17GB Free). Scanning both drives with all options except potentially dangerous apps (I don't need the headache... I have a crap ton of admin/management tools on here) comes back with 521121 files over 42:06.

    Just my thoughts...

    -Cov
     
  5. mikkl

    mikkl Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    12
    @Blackspear--Thanks for the recommendations. Some explanations for some of the options that I am using. I have found that I need /mapi- for the scans to work properly, otherwise I almost always have "Cleaning" left in the NOD scan logs instead of "Completed". Our default email program is not MAPI-compliant and NOD does not handle this well. As we don't use Outlook or OE, I have also selected /mailbox- are there are none to scan. (We use Pocomail). Similarly, I am excluding the pocomail mailboxes (*.mbx) as they are simple text files (all attachments are stripped and placed in an external directory--this directory IS scanned). I have had unresolved false positive problems that result in deleting year's worth of messages if I permit the text files to be scanned.

    I notice a difference in the sequencing of the commands. Will this make a difference?

    What does the /ntfs+ command do? I have not see that one before. Both computers are using ntfs for the main partition.

    @NOD32 User--Kerio 2.1.5 is the only other security app and it is running on both machines. There is a screensaver program that runs that is unique to the slow machine. Tonight I am going to go and check the thread priority of the screen saver and the Scheduled Task that I am using to call NOD. I suspect that the screen saver may be running at a higher priority. There is also a Nokia phone sync program running the background, but the phone is not connected. Before NOD runs, I use Karen's Replicator to backup the Mydocuments structure. I have confirmed that these runs are completed before NOD runs. Also the time of this backup (~38 minutes) is consistent between the two machines, suggesting to me that the bottleneck may be RAM or free space related.

    @covaro--I believe that they are both 7200RPM drives, though I do need to confirm that. Your point about temp files is a good one. Neither she nor I understand why there would be 30GB of files on her drive as she only does email, reads the news, and plays Euchre on Pogo.com. I am very suspicious about temp files. I have confirmed that the hard drives are operating in DMA Mode 5. Yesterday I updated the IDE drivers and the video card drivers as well as performing a complete defrag (first file-by-file using contig from Systinternals and then the entire drive using Windows defrag tool). This defrag took about 2 hours. Perhaps the drive is going south. I am also wondering if the free space is insufficient for NOD to efficiently examine archives and the like.

    My first test tonight (if she'll let me near the machine) is to disable the screen saver and see if the scan can complete in less than an hour. I am also intrigued by the /ntfs switch. If the screensaver does not change things, that will be the next option to try.

    I will report back,

    mikkl
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure.


    No worries in want you are doing there.


    No, however, I would not recommend using /heur+


    See HERE for what function each switch has


    Replicator should not take this long to run a backup.


    This is going to be the problem, you are going to need to go through your C Drive to find out what is chewing up 30GB

    Cheers :D
     
    Last edited: Jul 5, 2006
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  8. mikkl

    mikkl Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    12
    Thanks again, Blackspear.

    I understand why you recommend not using /heur+, bit of a contradiction with the /ah setting eh?

    Using WinDirStat (on SourceForge), I was able to clear about 7GB from the drive. About half were temp files of one sort or another. The rest were residuals from incomplete uninstalls and unnecessary backups of /OLD/ software.

    The drive now has signficant free space (>11GB) and I expect the scan to work better. I will be running a scan overnight and will check the run time in the morning.

    Prior to cleaning the drive, did run some tests with various background applications disabled with no noticeable difference. There did, however, seem to be a small improvement when I disabled Kerio firewall--but I may be fooling myself. Sitting behind a NAT router, it was only doing outbound control. If the scan runs in a reasonable time tonight, I'll re-enable Kerio and see if that makes a difference.

    Thanks again!

    mikkl
     
  9. mikkl

    mikkl Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    12
    And it didn't--I mis-remembered. It only took 8 minutes. (8:30-8:38am, to be exact)

    mikkl
     
  10. mikkl

    mikkl Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    12
    Well, none of this has made a difference at all. In fact, last night's scan (with /heur+ removed and /ntfs added) took more than 4 hours. In other words, one quarter less space took almost an hour longer to run.

    Testing the hard drive with HDTune, I see that it averages 23MB/sec. Comparing this to the available benchmarks, this seems like a typical speed for this drive (Samsung 40GB, 5400 RPM). SMART indications are all OK.

    It may be a hardware problem, but I'm not convinced.

    TIA,

    mikkl
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Could you please try the following:

    Download a fresh copy of NOD32 to your desktop.

    Uninstall your current version and reboot

    Remove the Eset folder from C Drive> Program Files

    Install the fresh copy of NOD32 that you downloaded above using "Typical" settings when asked.

    Let us know how you go...

    Cheers :D
     
  12. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    if the above doesnt help, then how about downloading another security app like Ewido or Dr Web CureIT and running a scan with that, just to see if the problem is specific to NOD32 or not.

    Lee
     
  13. mikkl

    mikkl Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    12
    Using the same command line as today?

    mikkl
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    The one I posted, yes, and if when you are fully set up, you can right click on the scheduled scan and run it straight away if you so desire (beats waiting for a early morning scan).

    Cheers :D
     
  15. mikkl

    mikkl Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    12
    Well, 45 minutes later the scan was still only partially completed, at which point my DW was tired of me monopolizing the machine and, in the interests of peace at home, I abandoned the scan.

    I'm not yet convinced we improved anything with the reinstall.

    I would like to run some test with a clean boot and no screen saver but that will have to wait until we return from vacation.

    So, this thread will go quiet for a while, but I will report back as I continue to chase the problem.

    mikkl
     
Thread Status:
Not open for further replies.