What about double scanning?

Hi,

WSA is compatible with most mainstream security products namely AV/IS/mega suites. It allows the other AV to catch and remove a detected malware first. It removes malware if missed by other AV. CPU and memory usage remains smooth and normal.

But what about double scanning? Using WSA with another AV increases webpage loading, folder/file opening, on-demand scanning, etc due to double scanning by both WSA and the other AV. I've tested this by using WSA with a variety AV products.

Best Wishes,
Amit

 

I read that WSA give the priority to the other scanner when a threat is detected by both, so the other one delete the threat. WSA act a second barrier, when the other scanner miss the threat, one reason why it give the feeling that WSA does nothing.

If you do On-demand scans with one of them , it is recommended to turn off the real-time of the other scanner, to avoid double-checks of files.

 

Exactly, although you can leave the realtime scanning of both enabled - worst case, you're just getting a secondary check which will provide a better assessment of your system.

 

I don't think my question has been answered or explained yet. I mean you guys have just confirmed my findings.

Will this continue? I mean the time is crucial. And the types of double scanning mentioned just are obstacles between WSA and the fully compatible WSA.

 

Using 2 real-time scanners at same time, with same settings will forcibly augment loading times and all factors; using an analogy:

"using 2 hovers at same time to clean your room will take you more time than using just one " ^^

Unless you disable the realtime of one of them (or at least set one to only scan when executed), you cant hope than you will have the same responsiveness than using only one RT scanner.

 

Then does this not put a question mark on the true compatibility of WSA with other AV?

 

Not at all. This sounds really stupid to me. - Reason: your self created definition of "true compatibility" would then be that only ONE AV is running. Then you were satisfied, right?

The thing is: I used it with Avira and I didn't feel that WRSA was slowing me down in a way I would even think about "double scanning" (regarding performance) or anything. - I told Avira to not bother with WRSA in their options, but that was all I did.

And also the other advice is not good in my opinion, disabling realtime scanning of one or the other. - If your hardware doesn't put up with 2 AV solutions (wich is regarding WRSA very unlikely) just use 1. Simple as that.

WRSA's strongest weapon is not on demand scan but realtime scan. Disabling that would be like slaying your arm off just to spare weight or something.

Please don't create a "problem" where no such thing is. Double scanning is none (with WRSA). Thank you.

p.s.: I see only now that you are using an "atom" cpu? Well, upgrade your hardware to a decent one (anything but atom!) and you have not to worry about "double scanning". - I know a netbook and the only problem it has is the cpu-name "atom".

 

Aren't you such a fanboy? Well I also love WSA.

I do have i3 pc and dual core notebooks. And two WSA are on those pcs and one is one a family pc. I try apps from time to time. I'm not worried about double scanning. I'm happy with my EISP in the netbook and WSA in other pcs. I'm just learning here about the compatibility. I'm very interested in this. I'm just exploring a different aspect of WSA's compatibility since Joe already gave clear cut explanation on compatibility in the situation when a malware is detected.

Just because you've got hardware power does not mean that side should be left unattended. I mean if that's the case, no modern mega suites are heavy for those machines. Does that stop the rise of cloud products? Why is that WSA continues to improve its lightness, fastness and minimal system impact when clearly those beast of a machines can handle anything and everything. It's about improvement my friend.

And "Double scanning is none (with WRSA)." is incorrect as I've already tested this. And Joe along with guest agree.

Just let me learn my friend. When I get a satisfying explanation that I can understand I'll "stop creating a problem where no such thing is". No harm done in trying to get something more clear about a product.

Best Wishes,
Amit

 

The difference with WSA is that its resource use/slowdown on the system is extremely minimal to the point of being virtually unnoticeable so you can use it alongside another AV without feeling any change.

 

The ability to prevent double-scanning will depend on what real-time features the other AV supports.

If the other AV supports process exclusion then you can set WRSA.exe as an excluded process, which tells the other AV to ignore anything the excluded process is doing. AVs commonly support file and folder exclusion but Avira is one of the few AVs I have tried that supports process exclusion. MSE used to but I don't know about the latest version.

If the other AV doesn't support process exclusion, it may still be possible to configure it to only scan files on writing or execution, ignoring read access. ESET NOD32 for example offers this level of granular control.

If you are using an AV that doesn't enable double-scanning to be avoided and you find double-scanning unacceptable, there is the option to rely solely on WSA for real-time protection and just use the other AV as an additional on-demand scanner.

 

In my book fanboy is something that I am not. And won't be ever. - But I am a fan (and promoter) of it's lightness!

You would get the irony of your word if you knew what I was to Prevx (due to many, many fp's on my system) on this forum. - Maybe the Anti-Fanboy. - An enemy who troubled the peace in the club.

But now - in 2012 - I am very impressed with WebrootSecureAnywhere. - And I will only look for another av-solution, if there is anything that is even lighter running! - Right, won't happen I guess.

I see. Want to make a similar product?

No of course not and I never said/meant that! - I am running here on a "slow" dual-core AMD, technology many years old but also thanks to WRSA my system is very fast (for what I do) and I try to persuade myself for a while to maybe upgrade hardware ... so far without success.

I like it when through great software you can use older hardware longer. And even if I decide to get a i7 I won't tolerate any software that I consider bloatware. Regarding AV I consider most of it bloatware, now with WRSA being reality!

Yes. And to conquer the world.

No. I meant: "Double scanning is no problem". In my experience.
I didn't mean: "There is no double scanning."

And Joe only said the same thing as I did. - But I only can talk about Avira though. Your other AV maybe could have some problems I didn't have with WRSA.

What I wanted to express was: "I didn't feel double scanning with Avira/WRSA!" - Of course without Avira system is now "faster". But adding WRSA (and excluding it in Avira) did not make it slower. Maybe it did but I didn't notice it that much.

I hope all things are clear now.

regards

 

LOL.

Yeah I'm also very impressed with WSA and very happy that it's the lightest av.

Hahaha I wish. Even if Joe had shown me the program code of WSA I would understand nothing.

Oh sorry I misunderstood.

Yeah WSA just will fit into any old machine without any slowdown.

LOL.

Sorry I misunderstood.

Well I have tested WSA with Bullguard, F-secure, Panda Cloud, Ikarus, Quick Heal, Avast, AVG, Norton and my EAM. The slowness may not be noticeable but it's still there.

Yup things are clearer now.

 

@PrevxHelp and @pegr
Okay now suppose we visit a webpage. A normal webpage you know with images and links. The other AV will scan the Webpage before it loads because it has one form of web protection or the other. So will WSA's web threat shield. Now although the other AV supports process exclusion which tells the other AV to ignore anything WSA is doing, that would not stop both the other AV and WSA from double scanning the webpage and increasing the load time.

What you are saying is that the load time would not be noticeable. I believe it is noticeable.

And like the above case file folder scanning and on-demand scanning are also affected.

Best Wishes,
Amit

 

What I was referring to was how to stop the other AV lengthening the time of a WSA on-demand file scan. I believe that in real-time WSA only scans files on execution so not really an issue. Regarding web page scanning, if you have more than one web page scanner active, you will get double-scanning so consider turning one off. For normal web surfing, as opposed to online banking and shopping where the WSA Identity Protection shield is useful, you would get better protection from a sandbox than from web page scanners with potentially less overhead.

I've no idea whether any delay in web page loading times would be noticeable or not as I don't use web page scanners. Any use of web page scanners must in principle impose some delay on web page loading, which may or may not be noticeable.

Not true. You can test this for yourself with Avira if you like. If you set WRSA.exe as an excluded process within Avira then carry out an on-demand scan with WSA, you should see that the WSA scanning time is the same as when Avira real-time protection is turned off. If WRSA.exe is not set as an excluded process within Avira, the total WSA scan time will noticeably lengthen due to the double-scanning of files.

 

Really? WSA in realtime only scans files on execution? Like MBAM? I didn't know that. Joe could you kindly clarify and confirm this?

That's what I thought.

Okay got it.

Oh I'll install Avira tomorrow morning to see if this is indeed the case.

Best Wishes,
Amit

 

@Amit:

A couple of small corrections to what I said: -

First: The actual description given of WSA real-time file scanning is that WSA scans any file on access that may lead to execution. Exactly how this differs from scanning on execution, I'm not sure; but it does seem to imply that files simply opened for reading by another AV won't be double-scanned. As you say, it does need Joe to clarify and confirm if this is the case.

Second: There is a suggestion that the WSA web page scanning takes place after the web page has loaded, in which case it shouldn't delay web page loading in terms of user perception. Again, it needs to Joe to clarify and confirm if this is the case.

Kind regards

 

I think not all people here use the same definition of double-scanning.
Definition 1:
Program X accesses a file, Product A sees the file being accessed and thus scans the file, then product B scans it as well so the file is scanned 2 times in total -> double scanning.
Definition 2:
Program X accesses a file, Product A sees the file being accessed and thus scans the file, then product B scans it as well, then Product A sees the file being accessed by Product B so A scans the file a second time; The file is now being scanned twice by the same product -> double scanning.

Definition 1 is of course valid with 2 realtime products, but whether definition 2 is depends on the products themselves and (if possible) process exclusion.

 

Just to be clear, what I was referring to by double-scanning is the scanning of the same file by two different products, not the scanning of a file twice by the same product. An intelligent AV design would prevent the latter situation from arising anyway. Once a file has been scanned and not judged to be bad, a well designed conventional AV won't rescan the same file for a second time in real-time: at least not until the AV has been updated with new signature definitions.

The situation I was referring to that can be controlled by process exclusion (where available) doesn't require the introduction of Program X. If Product A starts an on-demand scan, Product B will see that executable files are being opened for reading and, if set to scan on read access, by default will also scan the files. If Product B supports process exclusion, it can be told to ignore the actions of Product A (a trusted program) and no double-scanning will occur.

Looking at the more general case, if Program X attempts to open an executable file for read access, and if Product B scans on read access, Product B will scan the file because any process exclusion only applies to Product A. Whether Product A will also scan the file will depend on how Product A works. If Product A scans only on execution, it will ignore the file that Program X is accessing unless the file access may result in execution. In this scenario, the only time that double-scanning may occur is when a file is opened for execution in which case both products will want to scan the file.

What happens next in the file execution scenario now depends on how cleverly Product A has been designed. It may choose to stay out the way to give Product B the first chance at detection. If Product B does detect the file as bad, Product A will remain quiet in order to let Product B deal with it and no double-scanning will occur. If Product B doesn't detect the file as bad, then Product A will still scan the file before allowing it to be executed and double-scanning will have occurred.

In this scenario Product B may look more effective because it gets the opportunity to trigger first but this is part of the design of Product A in order to maintain compatibility with Product B, avoiding a possible conflict where both products are trying to scan a file at the same time. It's my understanding that this is how WSA (Product A) has been designed to work.

All of this relates only to the scanning of executable files. It doesn't apply to web page scanning where both products will scan web pages for threats during, or just after, loading.

Kind regards

 

"Really? WSA in realtime only scans files on execution? Like MBAM? I didn't know that. Joe could you kindly clarify and confirm this?"

Hi Amit,

Yes, is true, like MBAM.

The philosophy behihd WSA is : if a file doesn't do any harm to your pc , then it is ignored. So, if you download a malware which doesn't execute anything will not be scanned and detected by WS.

There is a good chance that ,if you use WS and a traditional AV you will not have double scanning because WS will scan only ON EXECUTION and the other AV will scan ON DEMAND.

However, web pages will be double scanned and so will load slower and, again you will have double scanning when you perform a "Right click" or a Custom /Deep/Full scan with WS.


On the other hand , this is the ideea of having TWO antimalware with real time detection installed and running at the same time on your PC!

ONE antimalware--->one scanning, TWO antimalwares---->two scanning an so on.

Thanks,
Claudiu

 

To clarify, no it isn't. WSA scans on write as well (see the options under Settings - Realtime Shield). From a previous post, claudiu, I saw you were concerned that it doesn't scan inside archives on-write. However, no AVs do that as it would be very intensive to perform and would have no added value.

 

Hi PrevxHelp,

Thank you for your answer!

To make things even more clear: if I download a virus packed in a RAR archive, will be detected by WS on the end of download?

My present antivirus (MSE4) will detect and quarantine a malware packed in a RAR archive right after the download is finised, without any other user intervention.

Thanks,

Claudiu

 

No, but as soon as you extract it from the rar, it will be detected, or if you right click scan on the rar.

 

Thanks!

If I extract it while I am offline (exemple:while I travel by train, airplane or if I am out of my wi-fi coverage) , how a potential malware will be detected?

Only behaviour and heuristic components of WS are way insuficient for a proper detection offline, so why dont't you scan that RAR file right after download when WS has full potentential being still connected to the cloud?

Just an ideea....

Claudiu

 

WSA will then use change journaling to prevent its changes from affecting the system once you reconnect. You can just right click on the archive and click "Scan with Webroot" before going offline. I'm surprised to hear that MSE scans archives on-write as I'm not aware of any others. It is computationally intensive and unnecessary.

 

"WSA will then use change journaling to prevent its changes from affecting the system once you reconnect."

Change jurnaling is a smart way to track changes; however according to:

http://en.wikipedia.org/wiki/USN_Journal

"The Change Journal describes the changes that took place, but does not include all the data or details associated with the change. For this reason the Change Journal cannot be used to undo operations on files within NTFS.

I cannot imagine WSA journaling for 8 hours (a flight from Canada to Europe) to undo changes once will get back online.

The other solution of yours seems much better, right click and scan, but why would you leave this to the user only because "It is computationally intensive " and will affect somehow the WSA speed?

Faster is not always better!


Nice concept though.

Thanks,
Claudiu