Need to scanning folders/drives when anti-virus is smart

UsernameIssues · 02 Oct 2013

Kurdishboy seems to have the answer(s?) that he wanted - so I hope that he does not mind if we chat about this a bit more in his thread.

ICit2lol said (in part):
"...you just stuck it in and looked at the files and meanwhile it is downloading all sorts of rubbish and malware..."
If any app is copying or moving files - then those files are being accessed. All files that are accessed will be scanned as a part of the real time protection. All files that are written to the fixed hard drives (or to removable media) will also be scanned. Access/activity = real time scan. If nothing starts copying/moving files, then why scan the inactive files on the USB drive?

I'm not arguing against using the feature that you (ICit2lol) mentioned. I hope to present info that convinces people that they should scan every file.

Let me deviate from what Kurdishboy mentioned and turn the discussion to the fixed hard drive(s) in a computer. Most antivirus tools setup a default scan of every file on a computer (or just certain file types). My question would be why? I could use a computer for 10 years and never access many of the files within the Operating System and yet my antivirus app scans them all... Every! Single! Day!

For the sake of simplicity, I'll stick to discussing accessing a file - even though accessing does not mean executing it. In other words, I can copy a virus without letting it run.

For files that are never accessed:
Can a file harm a computer even if it never loads into RAM?
(I think that the answer is no.)
Can a file infect another file by just sitting on the computer?
(I think that the answer is no.)

I'm not ignoring the two posts by LMiller7 in this thread - I'm just going over some of the same questions that I've asked myself (and others) many years ago when antivirus scans would make my computer noticeably slower for more than an hour. I had no choice in the antivirus vendor that my employer picked and I could not change the scan times. Those settings were (& still are) controlled by a central server. So this line questioning was not just something that I sought answers to for the fun of it.

Unfortunately, I never got a good technical explanation of why full scans are needed. Those attempting to answer my questions said sort of what LMiller7 said - but they said it like this:

AV apps can scan a file in different ways. They can compare different things during the different scan types. The real time scans are not as deep as the full drive scheduled scans.

Frankly, I did not find that answer to be very satisfying. It was not very technical. I have read papers that mention how some antivirus apps build local databases containing the file hash of files checked during the full drive scheduled scans. Then the real time scans of those files are faster... but I read that a long time ago. I'm not sure if that is still the practice of modern antivirus apps. If file hash databases are still being used, the full scheduled scans have value based on that alone. How often to do this scan is still up for debate.

To those finding/reading this thread that think the scheduled scans are not of value - I can only say:

You are probably not smarter than those writing the antivirus apps - so you should just follow their advice and keep doing the scheduled scans.

If your are smarter than those writing the antivirus apps - I would really like to talk to you

Now back to the files on a USB stick: I'm not sure that the hash for each file would be added to the local database since the files are on removable media, so I have a harder time understanding the value of scanning files on a USB flash drive that are not accessed. Perhaps its main value is so that you can find out if files that others might access in the future are infected.

Some of the scripts that I compile get flagged as viruses...
...so I've read up on how/why that is
...and what the AV app is looking for
...and what part of the file is flagged
...and I'm still confused :-(
To paraphrase LMiller7, this stuff is complicated.

One final set of thoughts on the value of scanning files every day that may otherwise never get accessed: we are all in this together. While I may never access that file, others might have that same file on their computer and they might access it someday. The antivirus app that is installed on my employer supplied laptop sends info about every file scanned to a central server (within our company). If a combination of files on my computer is found to be dangerous, that info is eventually fanned out to other computers at my company via a signature file generated/circulated within the company.

If you opt in to share that sort of data with your antivirus vendor, then you make the internet a safer place for us all. Thanks

ICIT2LOL · 02 Oct 2013

Yep I know what you mean mate but I still think that as my Kaspersky does auto or at least gives me the option is a a) a good indicator that it is recognised as a possible threat by the pop up alert and b) that by scanning it before you download anything off of it if there should be any nasties hidden away then they are effectively blocked until the security gives the all clear.
Having said that I suppose there is always a chance that malware could breach the scan definitions and I am sure you will agree that no security is 100% foolproof.
The example I gave could also be applied to say you leaving your machine unattended even for a short time and just for a ridiculous example someone with a grudge against you could slip a stick in and if you did not ask for a a scan then data could be downloaded at your expense. Now if say the security was Kaspersky and that lowlife switched off the scan on plugging any storage in it can still be picked up in the reports generated should anything start to go pear shaped.
I am particular pleased with what I have got because of the safe money feature the Kaspersky affords me and I am not aware of any other security software that offers that feature:).

Kurdishboy · 07 Oct 2013

Finally I couldn't find out when I input a USB flash memory into the machine why I should scan it while the AV is so called smart.

UsernameIssues · 07 Oct 2013

Kurdishboy said:

Finally I couldn't find out when I input a USB flash memory into the machine why I should scan it while the AV is so called smart.

UsernameIssues said:

~~~
Perhaps its main value is so that you can find out if files that others might access in the future are infected.
~~~

This is the reason that I gave in my long post.

Maybe others have more thoughts on why you should scan these files.

ICIT2LOL · 07 Oct 2013

Well I think I pointed out in my earlier replies (I stand to be corrected) - if the drive of whatever type is made by myself I click on don't scan because in my own simple logic whatever is on it has already been scanned before you load it onto that drive, because whatever you have downloaded has been through a security check by Kaspersky when it is downloaded and before it goes to the option of "save" or "run" or have you got your config set up to not scan any downloads even before saving it to a drive?? If you have then "user attendite" - user beware.

Now conversely if you have not made that drive yourself then you will have no idea what has been loaded onto it apart from the source telling what and from where and for the sake of a few minutes scan is it really worth the risk?

That does not of course prevent anyone surreptitiously loading a stick or drive into your machine then hitting don't scan and then loading your machine and then removing the drive, Now all a bit James Bond but it could happen and maybe just a prankster or worse someone who really doesn't like you and could in all reality wreck your machine.

The choice is yours in that config setting personally I would no more think of disabling that feature than eat my dirty socks. But like I said the choice is yours look mate I just don't want to see you back with "my machine is going haywire" etc etc

Perhaps I being a bit too simplistic or maybe a touch paranoid but better that than have a heap of intrusive and possibly destructive material exposed to and onto my machines.

Kurdishboy · 08 Oct 2013

I read those two above posts and still don't know why when I insert a USB stick into the machine and open it I should scan it before open it!? (although I always scan that USB before opening it!). Anyway, my problem is about the term "smart". I say when that "smart" really means the exact meaning of the word "smart" so there is no need to scan something. I reread all the posts of this thread from beginning and try to look precisely if there is my answer into them.

Golden · 08 Oct 2013

I thought you got your answer here ?
Need to scanning folders/drives when anti-virus is smart

ICIT2LOL · 08 Oct 2013

Now I am running out of explanations Kurdish mate what I am saying is if you walked down the street and some complete stranger gave you a USB stick and said put this in your machine would you just do that? I rather think that you would be fairly offended if that happened.

If so do you agree to just plug the stick or drive in anyway then any malware on that stick potentilally would infect your machine in a heartbeat, and if you like malware on your machine then that would be the thing to do wouldn't it?
Now what Kaspersky has put in that config feature (scan all drives) in the event that should that happen (however unlikely it would be) the KISS would want to scan it for malware.

Now because you have that config setting enabled it will think that every external drive you put into the machine is suspect because it (the machine and KISS) does not have any idea what is on that drive, and so will want it to be scanned.
Now if you have loaded documents or pictures or other data for example onto a clean stick or drive that you yourself have written or made and are quite happy it does not have any malware on that drive then when KISS pops up that message to do the scan all you need to do is tell it not to scan.
Now you will of course I hope have seen that any software you download will be scanned by the KISS security in what I think you are referring to as it being a "smart" mode before it gives you the option of saving it or running it.

Any dubious software or site if your Kaspersky has been set up (config'd) properly then it will pop up either a bright yellow or red warning sign of the problem before you go ahead with anything.

So you have two choices
1. You disable the scan feature and risk getting malware put on the machine end of story.
2. You enable that feature as I assume it is set now and the KISS will scan anything plugged into the machine for malware IF you want to.

To be fairly blunt KISS (or any security software) is not a mind reader so to speak and treats all plug in devices as suspect.

So the choice is your scan and be safe or do not scan and run the risk of infecting your machine.

Now I might be sounding as if I am telling you what to do and am risking to be seen as high and mighty and knowing it all which I hasten to add I don't . I am just trying to get you to see for the few seconds it takes to switch off the pop up is it really worth risking the security of your machine.
Personally and I have been doing this for years I would rather have it remind me to scan and just switch it off rather that have to come back here and ask how do I clean this rubbish out of my computer.

Last point is I also run on call scanners for stuff that Kaspersky doesn't know how to pick up and the three I use on a regular basis are these

http://www.superantispyware.com/

http://www.malwarebytes.org/products/malwarebytes_free/

http://www.bleepingcomputer.com/download/adwcleaner/

download from bleeping computer

Kurdishboy · 08 Oct 2013

@Golden: OK I consider that as the answer. Thank you all nice guys.

ICIT2LOL · 08 Oct 2013

Keep in mind and on board those on call scanners too they don't take much space and will as i said pick up stuff that Kaspersky doesn't - none are 100% foolproof and the very nature of the malware animal makes that certain.