Does this matter? And can some of you try this with your various AV Pgms?

Discussion in 'other anti-virus software' started by paniccom, Mar 27, 2009.

Thread Status:
Not open for further replies.
  1. paniccom

    paniccom Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    100
    I was trying several different AV's to see what I liked best. I had already downloaded from Microsoft Downloads the file for"Microsoft .NET Framework Version 1.1 Redistributable Package", which is a 23 MB file.

    http://www.microsoft.com/downloads/...FamilyID=262d25e3-f589-4842-8157-034d1e7cf3a3

    I decided to scan it with the AV I had currently been testing, and it came up clean, of course, but the scan showed a certain number of files checked within the dotnetfx.exe file. Out of curiousity, I checked the same file with other AV's and got very different numbers. My question is, are the AV's that show a large number of files checked doing a better job than those that show just a few? Are they better able to "penetrate" the file, to see what's inside? If anyone has other AV's and can post results, it might be interesting. Or, I might be told it is a waste of time by those more knowledgeable. But it is odd that the numbers would be so different.

    NOD32 V 3.0.684...............................2 FILES
    KASPERSKY AV 2009........................745 FILES
    NORTON 2009...................................2 FILES
    AVAST 4.8.1335 HOME EDITION.......800+ FILES
    (The scan disappears in Avast when it's done,
    so I can't get the exact number)
     
  2. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Using avast! version 4.8 Home Edition, Build 4.8.1335, I get 736 files scanned. More importantly, something seems wrong that the scan stat dialog disappears for you. I'd check with avast support or the avast forum to see why.

    Also, the dotnetfx.exe file is 23.1 MB, but look at the Total size of scanned files:120.2 MB. Weird.
     

    Attached Files:

  3. paniccom

    paniccom Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    100
    Yes, that is odd--120 out of 23? I wish I had paid more attention when I was trying this with the other AV's ( I have Avast free now)

    Thanks for the tip about the scan dialog disappearing--i thought that was normal behavior for the PGM if it found nothing wrong, but now I know better. I also didn't know about the 120.2 MB, because it never showed up.
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Absolutely not!

    Different AVs count files differently, suppose you have an archive (for example) containing 100 items - is that one file or one hundred files or one hundred and one files? etc etc.
     
  5. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Absolutely. Each vendor's product has different counting conventions. Some vendors may not extract all the files inside the package, depending on the settings or simply its ability.

    Does it matter, as the poster originally asked? To an extent; sometimes an AV will miss an virus embedded in a file. Worst scenario is if the AV misses the virus even when the infected file(s) are extracted or unpacked.
     
  6. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    FWIW Twister AV counts this as 1 file which makes sense because it is until it's unpacked.
     
  7. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,956
    Location:
    U.S.A.
    paniccom, here's mine - 328 objects:

    2009-03-27_190613.gif
     
  8. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    There is nothing wrong - just check the option "Show results of Explorer Extension" on the first page of avast! settings. By default, the Explorer Extension doesn't show results for clean files - only when a virus is found, you'll see the warning.

    Nothing weird about it again - avast! sums the sizes of all the files extracted from the archive(s) (and scanned subsequently). So, 120MB is the size of all the scanned content.
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I chose poor wording. When I said, "Weird", I should have said "I don't understand." And what I didn't understand was that a file can still be compressed without being zipped. Thanks for explaining.
     
  10. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    I'm afraid this sentence doesn't make much sense to me.
    How do you define "zipped"? ZIP is one of hundreds of possible archive formats.

    And since we are talking about a redistributable packege, i.e. an installer - I'd say it's most likely that such a file will be compressed (being it a Microsoft installer, I'd guess a self-extracting CAB, MSI... something like that)
     
    Last edited: Mar 28, 2009
  11. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    Correct me if I'm wrong but if you are scanning from windows explorer then there is an option within Avast's menu (program settings) that you need to tick off to allow the results screen to stay (show results of explorer extension). If there was a problem, Avast would have given an alert. So the file seems clean.

    Ice
     
  12. paniccom

    paniccom Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    100
    Thanks! I missed that setting somehow. Now I have the same exact results as Page42.....scanned 736 files, total size of scanned files: 120.2 MB. At least we're getting consistent results from the same AV's. I'm not using this test to make a decision about picking an AV program, I just find it an interesting comparison to check out. I hope a few people post other AV results.
     
  13. paniccom

    paniccom Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    100
    Thanks for the advice, although i g posted it above. But you're right, even without checking that option, if it had been a bad file, then the results would have displayed and stayed!
     
  14. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    When I see a zip icon, and the file is named whatever.zip, then I define that as zipped.
    Well, it's quite obvious to you. But as for me, I've already stated, I didn't understand.
    I get that now.

    Initially, I saw that the dotnetfx.exe file's size was 23.1 MB. I didn't understand that it was compressed because I didn't see a zip icon or .zip filename... so I thought it was weird that the total size of scanned files was 120.2 MB. It should have made sense to me, but it didn't.

    When I said, "something seems wrong that the scan stat dialog disappears for you", I knew it wasn't disappearing for me, and even though I looked for a setting, I didn't realize that selecting the "Show results of Explorer Extension" option controlled that.

    So... nothing is wrong, nothing is weird and "quite obviously" I learned something.

    Thanks so much for explaining.
     
  15. paniccom

    paniccom Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    100
    And thankYOU, Page42, for responding to my post and not only confirming the number of files scanned, but for bringing to my attention something that really bothered me with Avast AV, ie. I want to see what's going on when I scan something, even if the file is good. If you uncheck that option and try it, you'll see how frustrating it is because you're waiting for some kind of confirmation, and the scan window just quickly vanishes. "Was the file OK? Was it so malicious that it somehow killed the scan?" OK, I don't know all that much about malware and what it's capable of, but I think Avast should have that setting checked as the default, and have one of those "Don't show this dialog again" checkboxes on the scan results. But what I don't get is, if we both didn't know about that setting, and never changed it, why was mine unchecked and yours checked? Maybe you've had Avast longer than I have (I just installed it before my post) and the previous build had a different default setting?

    Oh, and as far as the "weird" comment, I STILL think it's weird even now knowing that it's a compressed file, because I didn't know you could squeeze 120 pounds of balogna in a 23 pound bag! (to paraphrase Alice Kramden)
     
  16. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Antivirus software can also unpack executables and disassemble code.

    .iso is a form of zip file; WinRar supports reading them. However, many AVs cannot unpack a .iso file; report only 1 item scanned.
     
  17. paniccom

    paniccom Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    100
    I see. Hence, you're previous comments:
    So even if the AV isn't capable (Maybe by design) of unpacking a compressed file, much worse is if it misses it during the extraction process, as you stated. I wonder if the vendors will chime in on their methods of scanning compressed files?
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Hi paniccom,
    Thanks for the thoughtful response, I'm pleased to learn that through all of my compressed and archived unawareness, you were able to glean some tidbits of usefulness! I don't recall having checked the setting for "Show results for Explorer Extension". I may have read somewhere that it is advisable to do so, and thus made the change. Or not. Both of my machines have that setting selected. My point is, I may have selected it and forgotten. I definitely do not think that "Show results for Explorer Extension" is intuitive. I hope some others post about whether or not it is default.

    What I did learn was that an executable file can be compressed. I should have known that, I suppose... I've used enough installers... but if I'm not seeing that zipper icon, I'm just not thinking zipped.

    Nice AK quote, btw. ;)
     
  19. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I had to check the User Guide for confirmation, and there it is... unchecked by default. I agree with you, it might be better to be checked.
     

    Attached Files:

  20. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    The thing is that antivirus (or archiver, ...) programs determine the file type (whether it's a ZIP, RAR, specific installer, etc.) by the file content - whereas the icons you see in Explorer are based on the filename (more precisely, file extension) only. If you rename archive.zip file to archive.xxx, the compressed icon will most likely disappear - but the file is still zipped, of course.
    For executable files, the icon is whatever the author of the file has put inside.

    So, what I'm saying is that the icons are only informative, not a reliable source of information.
     
  21. Zeena

    Zeena Registered Member

    Joined:
    Apr 25, 2008
    Posts:
    409
    Location:
    UK
    Hi paniccom :)

    I can also confirm... My Avast Scan Result - Vanishes when I scan a File / Folder ;)
    Only noticed it the other day o_O
    And like you... I Was Worried!



    Hi Page42 :)

    Thank You! ... For The Avast User Guide :thumb:
    Just what I needed :D



    This has been a most wonderfully helpful thread :D
     
  22. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    paniccom, do you feel that your question has been answered? If yes, what is the answer? I am kind of concluding from this thread that the AV's that do not unpack a file well can miss embedded objects. Do you concur? :)
     
  23. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Glad that worked out for you. ;)
     
  24. paniccom

    paniccom Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    100
    I honestly don't know, based on others answers that there are different ways the AV's number the scanned files. But since I'm using Avast free, and it shows 736 files scanned, as oppose to Norton 2009 and NOD32, which both showed 2 files scanned, I am pretty happy with my current AV. (Kaspersky showed 745 files, which is so close that maybe it counted folders as files or something--I'm guessing it was actually the same as Avast; but Kaspersky seemed to make my overall system seem sluggish.) So thanks for all the input-- I guess unless the AV company reps drop a comment about scan numbering systems I am thoroughly convinced I'm not 100% sure of anything! o_O
     
Loading...
Thread Status:
Not open for further replies.