I don’t quite follow. Are you saying you keep an MD5 and an access list?

Is this correct…
You keep a list of recently scanned files and when ever there is a file system WRITE to a file in the list, that file is removed from the list so that it will be scanned again on the next READ or on the current WRITE if you have ‘on create/write’ checked. And as more files are scanned the oldest scanned are removed?

I imagine that is very efficient, but it relies heavily on the fact that Avast can detect all WRITEs to the file system. So you’d have to be hooked at a very low level.

What would you also keep the MD5 hash then? Do you keep a file access list as well as an MD5 hash to check in case someone somehow made a low level WRITE that couldnt be detected?