High CPU on RAR files? (Build 418)

It seems that whenever someone uploads a RAR file using HFS (http://www.rejetto.com/forum), Avast seems to rescan the RAR many times and causes a huge lag of the system. I guess the RAR was continuously modified when the upload is in progress. The RAR size is only 2 MB btw.

Any workaround for this?

First, the RAR hasn’t changed for a long time so this is most likely not a 418-specific thing (I hope :)).

Second, your saying that your scanning RAR files on-access? Hmm… well - what can I say? Especially if the file is continuously written, avast will be triggered many times and the overhead will of course be enormous.

Is there a way to recognize that the file is not comletely there yet? Like a different file name or something? So that you could put it to the exclusion list…

Is there a way to recognize that the file is not comletely there yet? Like a different file name or something? So that you could put it to the exclusion list...
What does that suppose to mean? The filename for the RAR(s) are random so... :-\

Hopefully pk has worked out the problem.
Thanks pk.

If you have the on-access scanner configuration that includes created/modified files scanning with RAR extension, there is nothing to be “worked out” here, sorry.

Created/Modified on All… :frowning:
Would this behavior change on the next major? :cry:

No, it won’t.
Sorry, but it’s doing exactly what you instructed it to. You want all the created/modified files to be scanned… if the file is written by parts, closed and reopened again after each few kilobytes, it’s simply being modified very frequently - so, an enormous number of scans occurs. There is nothing we can do about it.

I don’t think having all the created/modified files be scanned is a good idea (or even necessary).

I don’t think the file was closed before the rewriting toke place.
However, I will check that part later.

If I were to uncheck the Scan created/modified checkbox, would Avast warn about a malware if it’s only saved and not opened?

Well, how can you know that, if you didn’t write the application that handles the upload? :slight_smile:

No, it wouldn’t.
I didn’t say you should disable the option completely (even though it shouldn’t cause any bigger security risk either) - I meant that having all the files to be scanned like this is a little overkill, in my opinion. The standard set of extensions should be enough.

;D… You are right! I will have to ask the author later on. :-\

Anyways, I think a solution for this maybe to integrate the Smart File Detection feature into Resident Protection? Should speed up the process and increase system performance. :wink:

Not really - you may have the scanning of archives turned on - then it wouldn’t speed up anything.
How about doing the “smart file detection” yourself and telling avast! not to scan modified RAR files? :wink:

… Eh
Avast definition of packers = archives.
Then I wonder what Avast will do when it encounters a UPX compressed EXE. No option to select anything? Or are they automatically scanned anyways?
I would turn off scanning of archives though… since they cannot infect without being decompressed first.

I think, we have worked the problems out with softwareguy via icq:
it means:

  • WinExec packers consist of upx/aspack/… packers and you can allow it as a whole
  • ’ smart file detection’: doesnt have sense