Avast File Shield has major problems with large .exe files

I have run into an issue where Avast’s File Shield will drain almost all of my cpu power when it tries to scan large .exe files like app installers or a user-created self-extracting 7z SFX (.exe) archives. I first encountered the problem whenever I created a large (>100MB approx) 7z SFX file where, once 7zip was finished creating the file, File Shield would use all remaining CPU time to scan them, leaving just enough CPU for the rest of the system to keep running. This also happens when opening/running, copying/moving, deleting, or even just right-clicking the file in Explorer. Only files/archives with the .exe extension seem to be affected (.zip, .rar, .7z, .iso, etc. are fine).

When File Shield does this it also renders the Explorer window the file was opened from completely frozen. And by “frozen” I don’t mean “not responding” by Windows’ standards, I mean it completely freezes and does nothing at all. The process in Task Manager doesn’t say “not responding” next to it and no “stopped responding” dialogue will appear no matter how many times I click in the Explorer window. If I try to restart Explorer.exe the offending window will refuse to close and an “end process” dialogue will appear but it will do nothing, forcing me to reboot.

I discovered that it wasn’t just 7z SFX .exe files affected after I downloaded an installer for “Portal Prelude” (a top-rated mod for the much-loved Valve PC game “Portal”). When I opened my Downlads folder after the download, Avast File Shield decided to use >90% of my CPU (yes, it was AvastSvc.exe alone using this much, not the total system usage) leaving next to nothing for the rest of my system to run on. Infact it left so little that I had to force-shutdown my PC, risking data loss, because there wasn’t even enough processing power left for the services required to open the Start menu, let alone open the Avast GUI to get into the settings and temporarily disable the shields. After I rebooted I let my system settle down, disconnected from WiFi and temporarily disabled File Shield, removed all other files from my Downloads folder (including .zip files much larger than the “offending” .exe file), re-enabled File Shield, then ran a targeted scan on my Downloads folder to see exactly how long it would take to scan the file manually. The targeted scan completed successfully in just a few minutes with “normal” CPU usage (<30%), where as File Shield’s scan will use as much CPU as it can get but still take so long that I have to reboot just to abort it.

I’m aware that heavily compressed files require a lot of CPU power to decompress, scan and recompress. But using so much that it totally drains all of my CPU leaving nothing for vital system services and therefore rendering my system completely unusable is just taking the pee and needs to be fixed.

I have already tried repair and clean installations of Avast but these made no difference.

I am running Windows 10 Home from an SSD with an i5 processor (albeit, a legacy i5) and 12GB of RAM so my system is more than capable of handling files with high compression ratios, yet Avast File Shield is still able to more or less kill my CPU when scanning .exe files, especially large ones like app installers and large 7z SFX archives. The age of my processor shouldn’t make any difference. I can normally run CPU-intensive apps like FL Studio no problem.

Please fix this.

Do you have heuristics enabled? Maybe it freaks out over the sfx-packer used. Malware tends to use similar packers.

I don’t think Avast has to recompress anything for a scan. Just decompress.

Perhaps you can limit Avast to not use all cores/threads? So there are always resources available to keep the rest of the PC running.

That’s strange - the File Shield normally doesn’t unpack huge archives (unless the default settings are changed… did you change any File Shield’s settings?). On the other hand, the targeted scan does… So I can’t see how the first should be slower than the other.

Would you be able to collect a Process Monitor log over a certain period when the big File Shield-related CPU load is happening and upload it somewhere? (ftp://ftp.avast.com/incoming is an option). I admit it may be tricky if the system is not responsive.
Hopefully it would tell us more about what’s happening there.

Hi guys, thanks for the quick replies.

@Rundvleeskroket:
Yes I have heuristics enabled. What I really meant with the decompression/recompression thing is that any app will need lots of CPU time to handle highly compressed files (I maybe could have been clearer but I’d already written an essay by that point). I’m not sure how to limit Avast to not use all threads so if you could tell me how that would be great. As far as I know, Windows 10 automatically decides how many threads an app is allowed to use.

@igor:
The only File Shield setting I changed was enabling “Scan all files” instead of “Scan recommended files”. This is just because of my paranoia since I’ve been hit by malware in ths past so I like to have maximum protection. I managed to install the game and delete the installer by adding an exception to Avast. But for the sake of diagnostics I will download it again and try to get a Process Monitor log for you, if it doesn’t kill my PC again.

For the record, when I 1st downloaded the file Chrome stuck at 100% while it ran its own virus check. This is a known issue with chrome though so I’m not concerned about that. Avast didn’t start playing up until Chrome “completed” the download and changed the file type from .crdownload to .exe, even though Avast still checks .crdownload files.

There are 3rd party tools to assign cores or limit them on a per application basis. It is not ideal so finding the real reason why this happens is a better solution. Otherwise you’re just containing the symptoms, not curing the cause.

If you have a known problematic file, try disabling heuristic scanning or lowering the settings for a moment. Then test if a scan still results in this high CPU load. If it doesn’t fix the problem, you can at least rule it out.

Well if it’s only thrid-party tools then I think I’ll just try to find the cause instead.

I am currently running Process Monitor after downloading that same file and it turns out there may have been either some misunderstanding on my part or a bug in Avast. When I set File Shield to “Scan all files” instead of “Scan recommended files” I thought it was referring to “all file types”, not every single file. I never thought that it would make File Shield actually run a full system scan every time I downloaded something. Seems to me like this is either an unintentional bug or, if it was intended, its something that should be made little clearer to the user.

I’ll try downloading the file again with heuristics switched off, and if that doesn’t work I’ll do it a third time with File Shield set to “Scan recommended files” to test our theories. If we’re proven wrong I’ll upload the Procmon logs for analysis. That’ll need to wait till tomorrow though.

Your understanding of that option is correct - File Shield doesn’t scan any files “itself”, it only reacts to access to the files.
However, there may be some other processes actually touching those files (Explorer enumerating the files in folder to extract icons from them, Search indexer opening and the files to check their content, …)
But still - scanning every file being opened is one thing, unpacking big archives is a different one…

You are correct about the Search Indexing and Explorer looking for icons causing being one of the causes. I paused Search Indexing before opening my Downloads folder and this allowed Avast focus on scanning the .exe when Explorer tried to look for icons instead of having to share its time between Explorer and Indexer, but it still took a few minutes to complete the scan. It still wouldn’t let me run the file though, taking nearly 45 minutes to actually open it.

It seems that the total system lock-up I mentioned in my OP was caused by multiple actions being performed on the same file while the File Shield scan was running (e.g. trying to delete the file while Explorer is still waiting for Avast to let it read the file’s icon) while its also scanning whatever the indexer was doing. It’s almost as though Avast is trying to start a second or even third scan on the same file it’s already scanning. When only one instance of the scan is running it will throttle itself to about 30% CPU regardless of how big the file is or what the current CPU state is. It also seems that each instance of a File Shield scan will always be given 30% CPU time, even if there is only 10% left therfore leeching from other processes and locking-up the system. (I noticed AvastSvc.exe’s usage jumped up to about 60% each time Search Indexing unpaused itself while I waited for my file to run. The same applies to Behaviour Shield - which is a separate process from AvastSvc.exe - which showed 30% CPU usage just before the file opened.)

I think this is an issue for the Avast dev team to look at. They need to implement something to allow Avast to utilize the CPU better instead of it just giving 30% to every task regardless of what else is running. From what I can see there is no way to change the priority of File Shield scans, only the on-demand ones. They should also make it so that a single file can only have one scan done to it at a time to prevent system lock-ups instead of running multiple scans on the same file simultaneously.

Thanks for your help guys, much appreciated.

This reply was from one of those developers:
https://forum.avast.com/index.php?topic=228795.msg1515355#msg1515355