"New and changed files only" - Why not?

Discussion in 'other anti-virus software' started by hamlet, Dec 30, 2005.

Thread Status:
Not open for further replies.
  1. hamlet

    hamlet Registered Member

    Joined:
    May 10, 2005
    Posts:
    201
    Hi. I have been using the latest KAV2006 beta for a few days and have a question. Actually, I suppose the question applies to any antivirus with this option.

    Is there some reason why I would not want to use the option (in several places) to scan only new and changed files? Is there less protection this way?

    KAV offers this and I don't know what other programs do. I have NOD on a laptop but cannot remember if it has the option only to scan new and changed files. If the protection is the same, this seems like a great time saver.

    Thanks.
     
  2. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    If your system already has malware and not in KAV's AV bases and then is later added to the bases it will not be detected if this option.

    Leave it enabled from realtime and disabled for manual scans (like default).
     
  3. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    But it will - Every AV will check all files again once the defs are updated.
     
  4. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    Not with KAV 6 beta. A database of previously checked files is maintained. If the option to only scan new or changed files is selected, only the files not in this database (new) or changed from the database timestamp (changed) will be scanned.

    As stated previously, the safest way is to maintain the default settings.
     
  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    If that's true, they dropped the ball right there.
     
  6. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    Of course on demand scans don't use this option by default (startup scans etc). It can also be disabled.
    I don't think its bad to be like this by default.
     
  7. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    1. The Real-time Monitor of several AV's including KAV 2006, VBA32 and Dr Web all have the possibility of scanning only new and changed files. In particular, SpIDerGuard of Dr Web in Smart-mode has for years only processed a restricted number of files. The main advantage of only processing new/changed files is on performance where there is very little effect of this setting. Hence very lightweight RTM's; ideal for the older computer or gamers.

    However, there are drawbacks. It works fine until you miss a virus definitions database update, or turn the Running Guard off for some time, so the system gets infected.

    Dr Web users were encouraged to carry out Regular on-demand scanning to cover this drawback and most users reported no problems with this setting. An excellent balance between performance and protection.

    Further, in the new version of Dr Web, this potential disadvantage has been covered by the Enhanced protection mode of SpIDerGuard where any object not scanned is sent to a background scanning engine.

    I use Smart-mode with SpIDerGuard of Dr Web and the "process only new file" settings with the RTM of VBA32 but supplement these settings with regular on-demand all-file scans. So far so good.

    If installed on a clean system, with regular on-demand scans on full settings then this is a good balance between protection and performance. But I would not recommend this setting for everybody, particularly newbies.

    2. Again with just on-demand scanning I would still carry out regular all-file checking.

    Overall, the new and changed file setting is a good choice in the RTM of AV's, if the drawbacks are known and if supplemented by regular full on-demand scanning. But even with on-demand scanning, all-file scanning is important to cover any holes in the RTM.
     
  8. hamlet

    hamlet Registered Member

    Joined:
    May 10, 2005
    Posts:
    201
    Interesting info. I have gone back and looked at the settings in the newest beta of KAV. It looks like scanning of new and changed files is the default setting on what they call "file anti-virus." I think this is the part of the system which checks files upon access.

    All of the other scan settings (scan, scan critical areas, scan my computer, startup scan) default to checking all files, not just the new or changed ones. It seems like this jives with what is a good setup according to the information given by other posters above.

    In the beta KAV 2006, it looks like only the startup scan has the option to be run after every update.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    I guess this comes under the heading of different strokes....

    One of the biggest appeals to me of the new Kaspersky AV beta's is that I can do a full scan with only the new and changed files.

    Based on a number of factors I know my machine is clean. I run several HIPS so one could almost debate the need for AV. Since KAV updates every hour I updated prior to running the first full scan. Very low odds of something being on my machine that is so new KAV missed it. But the time difference is very significant.

    The full scan on my system took almost 1.5 hours. Subsequent scans take about 4 minutes. Given that what I've done is I turn off the startup scan, and just run a full scan just prior to shutdown. THis works well for me, because of the HIPS protection.

    Just another approach.

    Pete
     
  10. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Well NOD has this option too for it's on-access scanner, but it will re-scan all those files when the defs has been updated.
    I really can't see any good reason why an AV should ignore already scanned files just because they haven't changed..
    Who knows what nasties could be hiding in those files?
     
  11. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    For speed reasons.

    Of course the malware will be detected in an on demand/ startup scan providing the signitures are present. These are the default settings.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    If Files x y and z are clean today, and fine, and tomorrow a new nasty is set loose, and the defs are updated fine. But if the file hasn't changed how could be infected??
     
  13. dog

    dog Guest

    The point is those files x y z could already be infected, but weren't detected at that time with the current DB ... Detection for this malware is then added at a later date ... etc.
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    You can't get rid of the constantly increasing scan time or better the total scan time of your scanners. :)
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Hi Dog

    That doesn't make sense. Point is the files are known clean. They are scanned with KAV's latest data base which has all the current badies and are confirmed clean and entered into the database. I don't care if a thousand new badies are discovered, if those files didn't change how can they not be cleano_O

    Pete

    PS Yes if you aren't sure your system is clean then you might have a valid point.
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Suppose file abc.exe is infected with an undiscovered virus X.
    Your scanner won't find virus X and won't report abc.exe as an infected file.
    Two days later the definition-database gets an updating of virus X.
    The file abc.exe is still the same and if you don't scan it, it still would be infected.
    If you scan it, abc.exe will be reported as an infected file.
    So dog is right IMO.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    You guys are missing the point with your supposes.

    Example. I just installed a program called NaturallySpeaking by Scansoft. Installed it from CD. Hundreds of files. Now how likely is it they are infected. AFter install I run a quick scan update, and they are now in KAV's database. As long as they don't change I see no need to keep constantly rescanning them.

    What you are in essence saying, is that even though I am confident based on a whole bunch of evidence that my machine is clean, I should suppose every file could be infected, and that just maybe next year KAV might discover a nasty, and that nasty could, just could be in one of my files and thats why I should scan and rescan everything. Just doesn't make sense to me.

    Pete
     
  18. Honyak

    Honyak Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    346
    Location:
    Deep South
    I agree, sounds like nit picking to me, when really it is a matter of choice by the user how to scan with AV.

    Suppose a frog had wings..... He would not bump his butt when he jumped.
     
  19. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    If the frog makes the wrong choice he ends up on a menu or at least his legs do. :D
     
  20. Honyak

    Honyak Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    346
    Location:
    Deep South
    "IF", the biggest word in the dictionary.
     
Loading...
Thread Status:
Not open for further replies.