Scan stalls in System Volume Information folder

Hello,

I’m using Avast v4.8(4-09-2008) with definitions file 080427-0 on a Dell desktop PC running Win XP Pro, SP2.

For the first time, this morning’s weekly scan stalled out in c:\System Volume Information. By the time I saw it, it had been stalled out for about 3 hours. I tried restarting the scan, and it got as far as that folder, and once again, stalled out. The number of files canned, and the bytes scanned, both stopped incrementing. I tried doing a manual, interactive selection scan for just that folder and sure enough, it scans 0 bytes, and 0 folders. The scan keeps running, it just seems to not be doing anything. The time stamp on that folder is from last night, so there has been some recent change to it.

I tried cleaning up that data in that folder by turning System Restore off and then back on, and by using Disk Cleanup to get rid of all but the latest restore point, and retried both the local disks and interactive scan, with the same results. I checked the log files and there is nothing noted.

I’m not sure what else to do here- can someone please help? Thanks in advance for any suggestions.

clira

Do you use ZoneAlarm?

Yes, I’m using ZoneAlarm 7.0.47.

Does anyone have any further input on this?

Thanks in advance.

Well, we’ve seen this before… and I think it looked like a problem in ZoneAlarm on closer investigation.
So, my suggestion would be to put C:\System Volume Information* into the list of avast! exclusions to prevent scanning of this folder… don’t know anything better, I’m afraid.

Thanks, although I don’t think I’ve recently updated Zone Alarm, I will look into it. I don’t really like the idea of a scan exclusion as I’ve read that some viruses and/or malware actually choose to hide themselves there since most users don’t know how to access that folder. I’ll also check the Zone Alarm site to see what I can find.

clira

I suggest you disable System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again.
Hopefully, I think this will remove any ‘problematic’ restore point detected by avast.

Thanks for the suggestion, Tech- I will give that a try.

clira

You’re welcome. Feel free to come back any time you need help or just to change experiences 8)

Well I don’t know how they would hide in the system volume information folder, a protected area controlled by system restore.

The main reason anything is found there is when a virus is detected in the system folders and moved it could end up being saved as a restore point by system restore. So I would like to know where you have read that ?

I’ve done a few million google searches involving various combinations of “avast”, “system volume information” and “virus”, etc., since this problem cropped up. Perhaps I misread something that simply reflected your statement that they’re copied to SVI from elsewhere.

clira

That is the most likely cause, I have seen it that some AVs don’t scan the SVI folder and if they have removed a virus from the system folders. It is usually recommended that you disable system restore before doing this (which stops the system restore creating an infected restore point). Disabling the system restore has the effect of completely clearing ALL the SVI restore points, infected or otherwise.

Well, I tried this and it did not work. All that’s in there now is a 0 byte ‘MountPointManagerRemoteDatabase’ with a 8-19-2006 timestamp, and a 20,480 byte ‘tracking.log’ stamped 2-13-08. Since the problem only started happening this weekend, I doubt it’s either of them. The same two files(same sizes and timestamps) are in SVI on my logical D drive, and it stalls out there too. Sigh.

clira

Can you try if the latest beta version solves this?
Download the updater (http://files.avast.com/files/beta/aswbeta.exe) and run it or go here for more information.

Unfortunately, it doesn’t. I followed the instructions for the upgrade, rebooted, and tried a scan again after rmeoving the exclusion. It sill stalls out in SVI.

clira

Maybe only Igor’s suggestion will do it…
Any acknowledgment from Alwil or Zonelabs about this problem?

Alwil’s official response was that I should try Igor’s suggestion and just exclude it. I checked the Zone Alarm site(zonelabs) and could not find anything specific to Avast and SVI. I did not pursue it any further with them as it happened even with ZA turned off, and I’m using their freebie version(vs. the paid version of Avast). Oh well. I wish there was a better response. I work on a large-scale web-based app and if we had a problem on one of our screens my solution would not be “Don’t navigate to that page. Just avoid it.” ;D

clira

Seems to be happening at driver level…

Edited due to Igor’s suggestion about dumps…

The user-mode dump won’t reveal anything, I’m afraid.
We had even a kernel-mode dump previously - and it showed ZoneAlarm driver blocking the file open.

If you check Google, you’ll find many reports of the same problem, unrelated to avast! (= occurring on a machine without avast!).
Maybe you can restrict the exclusion (I believe it was the tracking.log file, causing the problems, though I may be wrong)… but that’s about all.