Does Avast4 do any type of checksum type Hashing?
If so does it depend on the sensitivity setting of the on-access scanner?
If it doesn’t, might it in the future?
It seems to go nutts on the same old programs - like my File manager, everytime I run it.
toadbee
Welcome. Please help us help you.
What’s your operating system? What kind of a computer do you have?What version of Avast! are you running?
Also, what file is detected and in what Folder?
And, what message are you getting?
I am not a designer of Avast, however, from what I have seen and learned about its’ workings, it uses more of a “signature comparison” for scanning rather than Checksum Hashing.
The Sensitivity control “expands” the file types that are scanned.
From a developers point of view, Hashing would prevent conflicts in coding, and therefore to some degree might be incorporated into Avast.
One of the Avast Team may clarify further.
AS for going nuts??? Try lowering the Sensitivity a bit.
It seems If I run my filemanager (serveant salamander), the on access scanner does its thing - Which slows the startup of Salamander down quite a bit - And thats fine. But if I close salamander down, and then open it again in ten minutes (example) - Avast seems to scan everything again (salamander has a tremendous amount of plugins etc.) So it seems to me that Avast has no idea it just scanned the files - ie. it didn’t make note of what was recently scanned in order to ignore it then next time.
So I might be right or wrong about that…? but if Avast does cache some sort of checksum for a period of time - I’m wondering if the sensitivity of the on access scanner effects it (how long it ‘remembers’ - whether it remembers at all)
If you don’t want Avast scan your filemanager each time you open it, simply add it to the exclude list. Not that I recommend to do so since it may get infected (let’s hope not) and then Avast will not detect it.
When you shut down a program containing files of any kind, Avast WILL rescan from the start since it does not know if anything was modified or corrupted by a virus.
This is the quality protection it offers.
I don’t know if any AV “remembers” where it was in the middle of a scan and goes back to it or pases over files it HAS scanned. This makes no sense from a developer’s viewpoint.
Well my question here is an Honest one - I am not here to compare different products.
Here’s a quote from another AV maunual:
“*** saves system resources
and reduces computing work
to a minimum. The file caching
system developed in order to
save time “memorises” which
files have been examined and are
therefore clean. A rescan only
occurs if the files have been
changed in any way”
This is done via some sort of checksum system (like MD5) - so if the file is altered/infected/updated whatever it is scanned.
Standard shield driver gets MD5 of files they were opened and NOT infected. If there’s a WRITE request, file MD5 entry is removed from driver’s internal buffer, file is rescanned. If request is READ, there’s no need to rescan the file, because we know it wasn’t modified, etc.
Try this: restart your computer, display Standard Shield info window (where you can see how many files were scanned), execute Help from Start menu, look at how many files were scanned, close Help, run it again (many files were cached and they weren’t rescanned) [note: if you enable all files types scanning in Standard Shield, the difference will be much bigger].
The Servant Salamander files were rescanned, because they were probably modified.
Ok - now we’re talkin’
Thanks!
Now to figure out what the heck salamander is doing when it starts up ;D
One more question ??? I assume that the sensitivity setting does NOT effect the hashing technique… ?
And also - that the hashing doesn’t “timeout” - it simply doesn’t remember after reboot.
Anyanswer is good - i’m trying to understand what exactly I have here with your Avast
I don’t quite follow. Are you saying you keep an MD5 and an access list?
Is this correct…
You keep a list of recently scanned files and when ever there is a file system WRITE to a file in the list, that file is removed from the list so that it will be scanned again on the next READ or on the current WRITE if you have ‘on create/write’ checked. And as more files are scanned the oldest scanned are removed?
I imagine that is very efficient, but it relies heavily on the fact that Avast can detect all WRITEs to the file system. So you’d have to be hooked at a very low level.
What would you also keep the MD5 hash then? Do you keep a file access list as well as an MD5 hash to check in case someone somehow made a low level WRITE that couldnt be detected?
We don’t need to store file access list, if there was WRITE access to file which is stored in our cache, then we have to rescan the file.
Is this correct...
You keep a list of recently scanned files and when ever there is a file system WRITE to a file in the list, that file is removed from the list so that it will be scanned again on the next READ or on the current WRITE if you have 'on create/write' checked. And as more files are scanned the oldest scanned are removed?
If file is opened for writing/or we get write request, file is removed from the cache; next file scan will be when file is closed (file will be clean, flag will be set, next file-open will not be checked by scan).
I imagine that is very efficient, but it relies heavily on the fact that Avast can detect all WRITEs to the file system. So you'd have to be hooked at a very low level.
Yes, we can detect all create=open/read/write/rename/copy/... operations, all is done by our kernel drivers.
One more question I assume that the sensitivity setting does NOT effect the hashing technique... ?
No, hashing technique is the same, there're no configurations (only memory usage, but it's default).
And also - that the hashing doesn't "timeout" - it simply doesn't remember after reboot.
Yes, there's a timeout ;-), I guess all entries which are 30mins old are removed.
Sure, if you reboot your machine, all buffers are empty, because e.g. your HDD could be in different PC, not under av protection.
Yes, there's a timeout ;-), I guess all entries which are 30mins old are removed. Sure, if you reboot your machine, all buffers are empty, because e.g. your HDD could be in different PC, not under av protection.
Thanks PK - I’ve been messing around with it here - and thats what i’m seeing. Everything is a-ok