Quote: Originally Posted by marsmimar
are these malware scans scanning my C: drive twice? Once by going through the file system and once by not going through the file system?
Not really, By directly accessing the disk through the Win32 Device namespace it allows MSE to bypass device filters
also device drivers and any COM based Namespace Extensions that may be filtering filesystem output or showing virtual folders such as e.g. 'C:\Windows\assembly' which is a COM Namespace Extension that shows file output differently to the actual disk directory layout
I think the output of MSE is just showing C:\ when internally it's actually using \\?\C:\ the entire time which would make sense using the disk directly via \\?\C:\ as there are many layers where this output could be hooked or filtered to hide files otherwise.