2nd Full Scan is not faster

NikKNikK Posts: 935 Rock Star

According to http://community.f-secure.com/t5/Security-for-PC/Did-the-product-really-scan-my/ta-p/15410 a second full scan will skip files that haven't changed since the first full scan, so the second full scan will take just a few minutes.

This is not the case for me.

My manual scan settings is maximum search: ALL file types + Archives + Advanced Heuristics

 

My Q is: What manual scan settings do I need to have in order to get this faster second Full Scan?

Accepted Answer

Comments

  • SimonSimon Posts: 2,661 Superuser

    Turning off Advanced Huristics and ticking 'Scan only known file types' should make it quicker.  I wasn't aware that F-Secure only scanned 'new or changed' files on a second and subsequent scans, so I'll have to try that.  :)

  • NikKNikK Posts: 935 Rock Star

    Sorry, I can't accept this as a solution.

    Of course I understand that a full scan will be faster if I only scan known file types and not using heuristics! But that was NOT my question.

     

    According to the Knowledge Base articel i referred to, the second full scan will be much faster than the first full scan I do, becasue files that haven't changed since the first full scan will not be scanned during the second scan.

     

    Could please a product expert answer me what requirements there are in order to get this functionality?

    If it is dependent of manual scan settings, then please inform what manual settings are needed.

  • SimonSimon Posts: 2,661 Superuser
    I would just like to clarify that it wasn't me who marked the topic as 'solved'.

    With respect, I am not to know the level of expertise you have on the product, but I apologise that my suggestion, although factually correct, was not the answer you were looking for.
  • Can I ask what is the time-interval between your scans? In particular whether the two scans were separated by an update of the F-Secure Program?

     

    This is because even with this caching/trusting of files, in most AV's this is only a temporary feature  because when signature updates are downloaded, then it has to re-trust the files again. But I am not sure whether F-Secure works in this way.

     

    Overall if you run 2 scans close together, the second scan skips all/most files since they have already been scanned, have not changed, and you are still using the same virus definitions set that was used in the original scan.

     

    I have just confirmed this with the default scan settings. Maybe you could try 2 quick scans and then another one after an update?

     

    Worth a try until an expert comes along.

  • NikKNikK Posts: 935 Rock Star

    @Simon You have nothing to apologise for, you just contributed to the topic. I just meant that who ever marked it as a solution couldn't have read my question accurately.

     

    @Blackcat First of all, I always(after new IS install) change the manual scan settings to all file types/arhives/heuristics. I've done regular full scans with IS 2012, 2013 and now 2014. Never has a second full scan been much faster than the first. Maybe once a month in general, but after I found this KB article I've scanned several days straight and sometimes 2 times a day(just to test).

    Thank you for verifying with default scan settings! But I don't want to use the default settings. I've missed detections in the past more than once just because I used the default settings.

     

    So, my re-phrased Q will be:

    Are my modified manual scan settings preventing this much faster second full scan?

    (nothing about scan settings is mentioned in the KB)

  • Aloha NikK,

    In my experience it is as blackcat said; "with new definitions (UD or UG) it needs a new full scan".

     

    IMO: The only way to speed up a second scan, is not to update ANY part of F-Secure.

    To achieve this you have to stay offline or do 2 scans in an hour.

    So it is safe to say that the second scan will not/never be faster, under normal conditions.

  • NikKNikK Posts: 935 Rock Star

    If you're correct(and it sounds likely) then the KB article is very badly described. It says nothing about the second scan being dependent of the same definition version as the first full scan. Nor does it say anything about if it's dependent on certain manual scan settings.

    It's VERY time and CPU(100%) consuming to run a full scan with maximum manual scan settings. That's why I started this topic in the first place.

     

    Could a product expert please explain this so we don't have to speculate and run full scans all the time to test this?

  • Aloha NikK,

    Have done some testing today.

    Ran several manual scans on USB sticks.

    On All I scanned  within archives and all the F-secure definitions of the two scans (1st and 2nd run ) were the same.

    The changing parameters were Heuristics and the Known/all files options.

    (Both off, 2 x one on, Both on)

    Not once the 2nd scan was faster, with both on (heur- On, Scan All files)  it was even slower.

     

    When I switched my network connection off, during a scan (Heur-Off, Scan all Files), the scan hung.

    - That didn't happen before -

     

    So I agree with you that the article is badly described, but found the last sentence (more) reason for concern.

    What it sort of sez is; No matter how deep your manual scan is, it will skip certain locked system files anyway.

    That defeats the purpose of a manual heuristics scan.

    - I rarely use the heuristics option, reasons being time consumption and false positives -

     

    Concluding; It's safer to run a "planned" automatic All files scan with Heur-Off, compared to a manual All files scan with the heur-on, because the latter one will skip system files.

    Have a nice 1

  • NikKNikK Posts: 935 Rock Star

    Interesting, so not much seems to be accurate in the KB article. Why can't a product expert inform us how this works?

    Thanks for taking the time to investigate!

    I don't agree, I have never ever encountered a false positive, and I always scan for heuristics. I'm logged in as admin(don't know if that makes a difference) and don't think any system files are skipped, besides the pagefile and all windows logs. It always mention those as not scanned in the report. That's ok as they are not important/critical files. My pagefile btw is encrypted so I don't think it can be scanned at all.

    As for heuristics, I don't remember all detections but I do remember if was the difference between finding malware in outlook .pst files, and reporting them as clean.

     

    If we don't get a good explanation for this I think maybe the KB should be changed to: If your second full scan is much faster than the first, that's normal(simplified explained). The most normal scenario for most users though is that a second full scan is NOT faster than the first.

  • NikKNikK Posts: 935 Rock Star

    Thank you Ben for verifying this!

     

     

    Additional info about Manual vs Scheduled scan:

     

    I just did a scheduled scan and it actually skipped more files than the manual. It still skipped pagefile and windows logs but is also couldn't access my files encrypted with EFS(cause it now wasn't ME scanning the files).
    CPU usage was still 100% almost all of the time. So I will definetively continue to do all my scans manually.

  • Yet looking at this article in the knowledge base, more potential malware may be found in a scheduled scan, compared to a manual scan;  http://community.f-secure.com/t5/Security-for-PC/Fewer-viruses-found-in-manual/ta-p/18176

     

    This is because a scheduled scan uses a Local System account which can scan additional folders such as System Restore.  

  • SimonSimon Posts: 2,661 Superuser
    Surely though, it should be expected that F-Secure finds any and all types of malware, with any method used to perform a full scan? Security software shouldn't have to be run under certain perameters in order to offer full detection and protection, in my view, especially if these perameters are not clearly defined within the product's UI.
  • NikKNikK Posts: 935 Rock Star

    Thanks guys, great info!
    I did a manual full scan and compared it to my scheduled from yesterday(new virus and spyware def):
    They took just as long to do, only differed seconds
    4447 less files scanned in manual (probably System Restore files)
    58 more files not scanned in scheduled (due to my EFS files)
    And I noticed that the not scanned windows logs are completely different files between the manual and scheduled scan.

     

    So to be extra sure then you probably should do both a manual AND scheduled scan, that's my conclusion. This seems confusing and I agree with @Simon on that point.

     

    Normally though you don't have do to manual scans as long as you have real-time scanning: http://community.f-secure.com/t5/Security-for-PC/Should-I-manually-scan-my-hard/ta-p/15412

    In that KB it also says: "If you want, you can scan manually for viruses by using scheduled scanning". That statement makes you think manual and scheduled are the same which it's clearly not.

     

    I do manual scans as a extra safety. Just like I sometimes scan with other products as a second opinion.

  • If my machine is clean, when installing a new version of an AV/a new AV,  I carry out a quick on-demand scan and then that's it for on-demand scans.

     

    For scanning, I rely on my real-time Guard and a regular weekly scan with Malwarebytes. I have never carried out a FULL scan with an AV for years. 

     

    So I do not rely on an AV for my sole primary defense but generally run one with an AE/Sandbox and a good imaging program as part of a layered defense.

     

    Overall, the information found in this thread should add to an interesting knowledge-based article on Scanning with F-Secure.

  • Hiya All,

    Want to point out that by not scanning System restore, you skip the most frequently used hiding place for malware.

     

     

    Would be nice to have a commandline icon, that does a (Local System Account) scan with the parameters set by the manual scan option.

    Has anyone done that yet? 

     

    The only stuff we need to know is the exact syntax to paste in the 2 lines (Target: and start In: ).

     

    - Tried it and it works, 1 example -

    1) Create a CMD line shortcut.

    Paste (or type) the path to the fsav.exe file in the: "Start in" line.  - JUST the path! embedded in quotes ( " " ) -

     

    in my case:

    "C:\Program Files\F-Secure\apps\ComputerSecurity\Anti-Virus\"

     

    Then in the target line, AFTER the cmd.exe part it should look like this (cmd.exe included):

     

    %SystemRoot%\system32\cmd.exe /K fsav.exe /system

     

    The /K fsav.exe is the important part,

    /All /hard /system /rootkit /spyware /archive /beep ( /disinf /quar /rename )

    and so forth you can add to your own insight and needs, some switches need extra info like /policy.

    (Couldn't find the Heuristics switch at all)

    Have a nice one

  • NikKNikK Posts: 935 Rock Star

    Great! But note that it'll probably only work on old Windows versions, it was changed in Vista I think. Type whoami and check.

     

    PStools has a PSexec utility that let's you launch as Local System Account if you want. Example:

     

    C:\PsExec.exe -i -s -d %SystemRoot%\system32\cmd.exe /K "C:\Program Files\F-Secure\apps\ComputerSecurity\Anti-Virus\fsav.exe" c:\ /policy /report=c:\scanreport.txt

     

    Now typing whoami responds: "nt authority\system".
    And when you use /policy your manual scan settings will be used. This is from the report file for the above command to verify what /policy does:

     

    Scanning options:

    Target: C:\ + system + rootkits

    Scan all files

    Action:

    Viruses: Disinfect infected files

    Spyware: Quarantine and delete

    Scan inside archives: on

     

    Note: You have to run this schortcut as Administrator to give PSexec authority to do this (PSexec -s parameter = run as System Account)

    PStools: http://technet.microsoft.com/en-us/sysinternals/bb897553

     

    As for heuristics flag missing, it's also missing from the scanning reports both manual and scheduled, if heuristics was on or off.

    Enraged1
  • JenniJenni Posts: 697 Former F-Secure Employee

    Hello,

     

    I asked our Internet Security product expert @Cale to review the KB article. He has now revised it after having checked the functionality again. Many thanks for bringing this up, and thanks for everyone how has contributed to this discussion, your feedback is very valuable for us. It helps us improving the knowledge base.

     

    Kind regards,

    Jenni

  • Hi Jenni

     

    IMHO the heading of the KB article does not reflect the content.

     

    Would it not be better to title it something like"Factors affecting Speed of second/subsequent on-demand scans"

  • Hiya NikK (and the rest),

    Thanks for the info, you're right about the Vista bit.

    (Usually I'm running as an Admin or other types of super user, set by UI modding progs. -but this time it was XP-)

     

    Still think it's a nice idea to have an F-Secure own solution for a deep manual scan. (Sysfiles included)

    - For all the OS's -

     

    Have a nice 1, all.

  • JenniJenni Posts: 697 Former F-Secure Employee

    Hello @Blackcat ,

     

    many thanks for your feedback. I checked this with @Cale , too, and it is a good idea to change the title to "Factors affecting the speed of second virus scan". I'd like to avoid the terms "subsequent" and "on-demand" as we also want to address non-techies and non-native English speakers with this KB article. I hope this suits you.

     

    Cheers,

    Jenni

    siramic
  • BlackcatBlackcat Posts: 511

    Hi Jenni

     

    looking forward to reading amended KB article.

  • JenniJenni Posts: 697 Former F-Secure Employee

    Hi @Blackcat,

     

    here's the revised KB article (heading & question edited): http://community.f-secure.com/t5/Security-for-PC/Factors-affecting-the-speed-of/ta-p/15410

     

    Cheers,

    Jenni

    siramic
  • BlackcatBlackcat Posts: 511

    Hi Jenni,

     

    what about this one?

     

    An initial full computer scan checks all hard drives for malware, such as spyware, viruses and rootkits. A second full scan will generally be significantly faster, compared to the first,  because only the files that have changed will be scanned.

     

    However, new virus definition updates and a computer restart, will reset the scan cache. This means that the first scan after the update/restart will scan all files again and take a longer time. 

     

    Therefore 2 scans carried out within a short period of time, will be considerably different, the second one being much faster. Those separated by a few hours, when an update has occured, will show little difference.

     

    Differences in bold.

     

     

    Questions;

     

    1. Will a reboot reset the cache?

     

    2. Do we need the info. about the archived files? may confuse newbies?

     

This discussion has been closed.