What does avast! scan after boot and why? [Outpost Pro causes excessive access]

What determines the files that are scanned when avast! starts after WinXP boots?

The reason I ask is my Standard Shield scanned count after everything settles down (avast icon stops spinning after boot) is in the region of 800. However, my last one was in excess of 1000.

There are files that are being scanned that are in my program Files folders (I have two C: and D:) that are not used for weeks on end. One being my Time Synchronisation program but there are many like it being scanned and I really would have thought that only windows, memory, start-up, services and their associated files would need to be scanned and this shouldn’t amount to around 800 on average.

My system is relatively clean with minimal programs running on start-up with only 30 processes running so for over 800 files to be scanned seems excessive. Not to mention it takes about 90 seconds to complete the scan.

Some time ago I believe this was going to be looked at to see what needed to be scanned after boot and if there was perhaps a way to allow user adjustment of what is scanned when avast starts?

It depends what type of files are scanned (if the provider’s settings was not modified weirdly) - and what files are used by system during its starting (could you pls turn scanning notification on - that yellow/blue rectangle under clock? then it could tell you more…).

This could not work as avast takes a lot of time to ‘be ready’ and show the first notification, very after a lot of things are already loaded and loading… :cry: :-\

I have been monitoring it in the last scanned file list in the detailed view of Standard Shield and it flits aroung wildly from C:\Program Files to d:\Program Files to windows\system32, etc too fast really to list all. I would assume that the ‘Show detailed info on performed action’ would be equally as fast as to prove difficult to read. I will enable it and reboot later and get back.

Provider settings are pretty standard:

  • Scanner (Basic) all options ticked.
  • Scanner (Advanced) scan all files on open, always scan WSH script files, Scan created/modified files all files.
  • Blocker, default extension set, Allow the operation, the rest ot selected.
  • Advanced - now Show detailed info on preformed action and the default list of locations not scanned.

Ok did that and as suspected it whizzes through the list so fast as to be difficult to identify much, or to possibly help.

Other than it would appear to be scanning virtually every .exe file on my system, which is obviously not true as a search for *.exe returns 1081 on C: and 547 on D:. This time it recorder 810 files scanned after boot.

I did find some strange folders being scanned. I have a folder for programs that don’t require any registry keys, ‘D:\Utilities-Non-Registry’ for little utility programs and it would appear to be scanning .exe files in there (and sub folders) as well.

What I thought strange that I noticed a couple uninstall exe files flashing through.

They seem so random in the folder and files flipping from C to D partition Program Files (both) to windows, windows\system32, etc.

Well had a bit of a brain wave after mentioning my ‘D:\Utilities-Non-Registry’ folder (in the previous post), I thought why would it possibly look there. I have two additional toolbars that I created to speed access to useful programs that I use relatively frequently to avoid desktop shortcut clutter.

One of them is a shortcut to the Utilities-Non-Registry folder so I thought that this might be the reason for the heavy scan load (3 toolbars and all the 12 desktop shortcuts) so I disabled both of these toolbars and also disabled the quick launch toolbar and rebooted.

Rats, no difference, still scanned in excess of 800 files about 90 seconds before the avast icon stopped.

Any more ideas?

I’d be interested in an answer to this too as I have noticed that Avast! takes rather a long time to stop “spinning” after I logon.

Are you using Kerio Personal Firewall?

No, I’m just using the Windows Firewall (SP2).

My other security s/w is WinPatrol, SpyBot (no Teatimer), Spyware Blaster, Bit Defender (not resident).

Not sure if that was directed at me, but no I use Outpost Pro as in my signature.

Vlk
Add me to this list of curious people and I use ZA.
As David said it takes a long time and seems to delay the boot process at least the actual access
after booting is delayed since it takes so long for the initial scan to complete.

Perhaps some feedback (by way of a poll, etc.) on the numbers of files scanned after boot, your OS and firewall may be of use?

Files Scanned = 300–500, 500-700, 700-900, etc.
OS Type =
Firewall =

Files scanned = 83
OS Type = Windows XP SP2 (aboout 1 month old)
Firewall = Windows XP firewall (This is my second computer, and I am behind a router)

Basically, there’s no scanning on startup invoked by avast at all.
The files that are scanned are being opened by another program, and THIS invokes the scan.

E.g. the Office FastSearch (or how do they call it) feature consists in scanning your hard drives and indexing your files (same goes to Google and MSN Desktop Searches). As the files are being opened, avast scans them.

Normal value for XP users is about 300 files. That’s a plain OS install and Standard Shield’s settings on default.

Thanks
Vlk

I know the one you are talking about the Office (FastFind?) Indexing to supposedly speed opening that kept blipping the hdd LED, I disabled this years ago and I also disabled the windows Indexing Service in XP.

Back to the drawing board to see what could possibly accessing thes files causing avast to scan them.

I recommend Filemon http://www.sysinternals.com/Utilities/Filemon.html to find out which process is opening which files.

Files scanned = 173
OS Type = Windows XP Home
Firewall = Segate 5.6

I have it, but have never used it, not to mention getting it to run on/immediately after boot before things get taken over before avast starts scanning the accessed files effectively stopping any launched programs (filemon, etc.)

I will try to have it run on startup or create a shortcut and start it as soon as possible.

Well I added filemon.exe to the startup group, it seemed to take ages to load after boot but it did and I left it running until the avast icon stopped and I saved the log and closed filemon.

It was running for about 1-2 minutes and is 1.5MB in size with 13,692 lines phew. Well it didn’t start getting interesting or displaying anything useful until about line 3000+ Then there were references by explorer.exe to Explorer.EXE accessing C:\Documents and Settings\All Users\Start Menu\Programs\

The main program/files that feature in the log are:

explorer.exe
ashServ.exe
csrss.exe
Outpost.exe
SnagIt32.exe
procguard.exe (free)
sgmain - SpywareGuard
sgbhp.exe - ditto
TSCHelp.exe
wuauclt.exe
svchost.exe

There really is too much to post here and to me there was little that I could interpret as the cause for the high number of files being scanned. I couldn’t understand why they would be scanned as they are not startup programs and it would appear that ashserv.exe is scanning followed by explorer.exe is accessing them. This is obviously avast intercepting the open followed by allowing it if clean. However, I can’t find anything that appears to be the originating request/call to explorer.exe to open the files.

The only possible assumption after the information overload of the filemon.log and no apparent reason to access or scan many of these files is; could some of these .exe files that are being scanned come from the fact that the icon is being extracted from the programs .exe file to display in the Start, All Programs Menu and their sub menus since icons are displayed in the lists?

I will happily send you the filemon.log 7zipped and more detailed info if you think it may help to get to the bottom of this?

I have Avast4. Where do you turn the scanning notification on? I can find no yellow/blue rectangle anywhere. How do you get to it?

Thanks.