F-Secure Safe skipping big amount of files in Full Scan
I'm using F-Secure Safe for 2,5 week now, but I'm ecountering a problem now for a few days. I've contacted F-Secure customer support, but they couldn't find anything, so my last chance is trying it here. I'm running it on Windows 7 professional SP 1. (I've don't got any error logs, since there aren't and also the full scan report doesn't shows any irregularity)
I've did a full clean install of my PC 2,5 weeks ago and I'm using F-Secure SAFE ever since. For the first 2 weeks, when doing a full scan (with "scan only known file types" unticked and "scan compressed files" and "scan with heuristics" ticked), it scanned about 220.000/230.000 files consistantly for the last 2 weeks.
Without any change to my PC (not installing or removing anything), it suddenly only scanned around 130-140.000 files when doing a full scan, a few days ago. So suddenly it scans 80.000/90.000 files less! The whole point for me is that, when doing a full scan, it scans everything and I can feel pretty sure that my PC is clean. When skipping this big amount of files, I don't trust it to be clean.
At the same time, Malwarebytes (which I use as second scanner) kept scanning the same amount of files in that period.
Ive tried a complete removal and reinstall of F-Secure, but that didn't change a thing. Tried to scan with all the options and combinations ticked or unticked in the settings menu, but it also didn't solve the problem.
The only thing F-Secure support could think of is that I removed my temp files or that a program did. I haven't got a cleaning tool on my PC, so that isn't the case. The only thing I did was removing cookies and temporary internet and website files manually in the Internet Explorer settings menu. But could that make a difference of 80.000+ files in the full scan? (And why isn't there a change in the amount of files Malwarebytes scans then?)
Anyone got any suggestions?!?
The information in this article could explain some of the differences observed.
I was thinking about that myself (experienced the same with other AV software in the past) but there are a few things that contradict this:
1. In the first 2 weeks, even doing 2 scans in 1 day, the amount of files scanned stayed relatively consistent around 220.000 files. Day after day, scan after scan. If it would skip already because of previous scanned files, this wouldn't be the case. The speed it does the 2nd scan with is indeed faster, but the amount of files didn't change (or at least not this much).
2. The article you are refering to states the following: "New virus definition update and computer restart reset the scan cache. This means that the first scan after the reset scans all files again and takes a longer time"
This would mean that after rebooting the PC (and/or updating prior to it), it would scan like normal. This isn't the case. Still scans the low amount of files.
3. After a full removal and re-install of F-Secure and scanning for the first time after re-install, you would suspect the F-Secure would threat the PC as a first scan (ever), since all previous files and cache where removed. It should not be able to detect that it did scans earlier on the PC.
Sorry for my reply.
Maybe it's related with re-designed some part of scanning background.
Such as... your experience maybe related with my experience too.
Some of files... during full scan (mainly) goes be skipped or ignored or other.
I thought about next points around:
--> F-Secure start to be more related with cloud-based scanning, another design about scanning (such as RAM/CPU/Disk usage scanning difference) - some kind of optimisation, improving for scan-engines and other things.
--> As result (maybe) /and probably on current time... situation more nice, than before/ with my experience (?!) when my system/machine goes to be with overload (such as... scanning "skipped" files as just one file will be normally scanned) F-Secure goes to skip some of them.
Such as.. maybe there can be "trigger" for skip/canceled scanning.. if scan-process goes to be TOO MUCH long or "around stuck"... and F-Secure scanning engine goes to skip file for prevent "forever scanning" or take too much resources for scan. Or something around this.
With my experience... usually skipped/canceled files or "not scanned files" related with large files, zipped files or other files... which can be "dangerous" just with "action" around. It's mean.... during launch/execute file... probably F-Secure still able to get it. Or during "single" scan for certain files.
Sorry for my reply... and sorry if I wrong understand your topic.
Will be nice to read normal response from F-Secure team about points... if it's indeed can be there with any of reasons for changes.
Sorry for not nice English too.
I was also thinking if it had something to do with a change in the software, in regarding to how F-secure scans. Maybe something changed after a recent update from F-secure.
But to be clear: it's not that the scan report says afterwards that it couldn't scan some 80.000 files and skipped them. It just scans less.
The scanreport still talks about the same 11 skipped/"could not scan" files as before the problem.
Oh.. sorry... I understand your situation now. It was visible from first words.... but I goes to think about other meanings (so.. sorry for my previous reply again... because it was not really about main theme).
With current situation.... more strange points, of course.
I can to think just about something like:
--> Potentially... Temp-files (of Internet Explorer) can be with enough size. For example... time to time I goes to clean temporary-files, cache-files and related things for Internet Explorer. But not from UI-settings (not sure.. how many can be different between default feature-step and other). And for example..... on current day.. I have more than twenty thousands temporary files, which can be "safely" removed (most of files - cache files probably. maybe default-feature-cleanings does not delete all of this files).
--> Not sure which different on current time between stable-version and technology-preview-version (beta), but with some of latest versions of TP/beta version comes changes about one of scan-engines.
BlackLight-technology. It's comes as rootkit-engine and previously.. each full scan-process comes with "step", when BlackLight initialized and goes to scan some of files (system-file and other related).
It's also comes about some thousands of files and take some time. Now... with TP-version current engine dropped (not really helpful and there have new tools about same meanngs)... so FULL SCAN can be with less scanned files potentially.
You can to check this suggestion.... if goes to "Right-click for tray-picture"-->""Check updates""--> and will try to find there string about "F-Secure Blacklight Engine" as installed module. If it's missing under list. So.. maybe with stable-version there comes same changes.
Or can be other explanations...
Sorry for my new reply and not nice English.
Thanks for thinking with me for a solution Ukko!
But if it would be the temp files, then after removing and having the lower amount of files scanned, it should steadily rise again after time I would think. Because after removing temp files and cookies the number is lower, but as I use the PC daily and surf on the internet etc., I would gain temp and cache files again and the number of files scanned, should have to rise again I would think?!?
But it is now more than a week ago since removing temp files and cookies, used the PC every day, but still the number of files scanned stays around 140.000, with a fluctuation of a few 1000. But I haven't seen a mayor increase of files, because of getting new temp files, cache and cookies.
Anyone else with an idea which direction to look at? (Or can anyone confirm that removing temp files and cookies in IE could explain a 80.000 files difference?)
Sorry for my new reply.
but what about another suggestion with Blacklight engine (which was removed probably for Bussiness solution recently too. So maybe.... with stable version of F-Secure Safe (same for technology preview) it was dropped too. There was potential steps for check it... under previous reply (with list of updates).
But anyway.. I want to ask else one question.
Today I goes to "re-check" about difference with Scheduled scan (full scan as related) and Full scan (modern variant). So... for my system (potentially.. because between scans was a time.. but not a week) there also can be difference with same numbers of files.
Scheduled scan: 692403 files + 7736 not scanned files;
Full scan: 603227 files + 11970 not scanned files;
Potentially.. it's can be that... F-Secure Scheduled scan still have "old" design of scanner engine.
For example.. there does not have string about F-Secure USS (Universal System Scanner), which probably work as "optimisation and improvements" around scan-process.
And also.. Scheduled scan comes with same settings of full scan, but also there have "/policy" string, which have description as "rootkit/spyware scanning will be enabled by default and it's not possible to be disabled from UI". And maybe scheduled scan have other additional-points about zipped files ?! Maybe it's work with another design or "number" of files goes to be different. Such as "where zipped-file can be marked as one... with another can be numbers from zipped-file".
Anyway... maybe you also can to check about scheduled scan What if it was random... and just my experience comes with difference between files. Or maybe it's a design and you can to get another numbers of files too.
And if it's related with current design.... maybe there indeed some of improve-steps about scanning platform (maybe just as visual ones) or something around rootkit/spyware (which now replaced for Full Scan process and still there with Scheduled scan).
Sorry again for long reply and not nice English.