see subject – because any virus has to come from a file or must write itself to a file, even Outlooks e-mails are written to disk, so shouldn’t write scanning be sufficient to suppress viri spreading or starting to become active? --does avast also scan files for virus-properties, eg. registry entries for known virus “signatures”?
what’s faster? scanning before/on write or before opening? Btw. does it scan before write or after writing a file?
Your last question is the key one. The scan is performed after the write (in fact, it’s performed when the file is closed). Therefore, catching the virus by this kind of scan is sort of “too late”, since the file is already infected.
Unfortunatelly, it’s not possible to change. Imagine that a virus is infecting the file in multiple steps - each time writing only a part of it’s body. Scanning the file after every write (it could be writen byte by byte!) could be very slow. But even if it were done this way - the file may not be detected as infected during the first write; it could be detected after a number of writes… and at this point, the file is already damaged (it’s questionable, but it may be better if the file is infected “completely” and “working”, instead of incompletely and useless).
Btw, true worms (based on network protocol buffer overflows) don’t need to be written to disk to activate; but that’s out of the scope of an antivirus anyway (you need a firewall to prevent this kind of attack).