Difference between "Smart Scan", "In-depth Scan" and "Custom Scan"

[raynor 2]

Hi,

 

could anyone kindly explain to me the differences between the different scan types:

 

- "Smart Scan"

- "In-depth Scan"

- "Custom Scan"

 

If I was to set the ThreadSense parameters to exactly the same values

in both the "Smart Scan" and "In-depth Scan" profiles

(under Settings-->Computer-->Antivirus and Antispyware-->

On-demand computer scan-->ThreatSense engine parameter setup),

would there be any difference left between these two scan types?

 

I have read the help on that subject, but unfortunately I'm still somewhat puzzled

 

Thank you in advance and kind regards

Raynor

 

[Arakasi 549]

Raynor,

Hi !! & Thank you for becoming a member of the security forums.

 

I would like to be short and sweet for you.

These are pre-set profiles that ESET has created for you to choose from.

 

The basics behind the Smart scan is a proprietary technique that ESET uses to check digital signatures, time-stamps, and prevent files that have not been changed since last scan, from being scan "AGAIN" on the next scan you perform that uses Smart Optimization.

Under the threat sense parameters it is the "Enable smart opt. " under other & the Dna. Smart signatures under options when scanning.

 

You can include Smart Opt, with the In-depth scan.

You can also create your own profile or "type of scan without the feature" . Should you want to scan files anyway for logging purposes etc.

 

Hope this makes sense.

Edited February 6, 2014 by Arakasi

[raynor 2]

Thank you for your quick reply. It is all becoming clearer now

 

If I understand you correctly, If I enable the "Enable Smart Optimization" option in the "In-Depth-Scan" profile,

that would mean that this profile is then practically the same as the "Smart Scan" Profile (i.e. there would be no more

difference between the profiles) ?

[Arakasi 549]

Correct, except there may be a few other options differentiating them.

You would have then made your In-depth scan a Smart scan, however keep in mind, it then defeats the purpose of in-depth; as the smart opt, will skip files to speed up scanning.

[raynor 2]

Yes, I'm not going to change the in-depth scan into a smart scan I was just asking for the sake of knowing the differences

 

Thanks again,

raynor

[AGH1965 12]

The basics behind the Smart scan is a proprietary technique that ESET uses to check digital signatures, time-stamps, and prevent files that have not been changed since last scan, from being scan "AGAIN" on the next scan you perform that uses Smart Optimization.

The statement above caught my attention. Is it wise to skip scanning a file because of a timestamp? What timestamp is meant here? What if the timestamp was manipulated by a threat to prevent discovery? Please, convince me that smart optimization is safe to use!

[Arakasi 549]

Timestamp is not the sole reason behind it.
Hash is.... i think.
Thanks for inquiring

 

Ex: The scan engine has to programatically check if the file has been scanned before, and if so, what the signatures and hash of the file is between now and the last scan which was on 12/12/2012.

 

Cryptographic hash functions have many information security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication . They can also be used as ordinary hash functions, to index data in hash tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums, to detect accidental data corruption. Indeed, in information security contexts, cryptographic hash values are sometimes called (digital) fingerprints, checksums, or just hash values, even though all these terms stand for more general functions with rather different properties and purposes. -Wiki

 

 

Smart optimization is in no way a compromise to security, and it is indeed safe to use.

If a file has not been changed since the last time it was scanned, then malware or hijacks have not interfered or altered the file.

There is then, no reason to have the engine re-analyze it.

 

Thanks AGH for your concern.

My wording may have been a little confusing in the previous post, and not an in-depth explanation.

Edited February 6, 2014 by Arakasi

[Marcos 5,074]

Indeed, it's safe to use Smart optimization. Coupled with LiveGrid, it provides effective and safe way how to prevent popular and previously scanned files from being scanned repeatedly, especially if they take longer to emulate by advanced heuristics.

[AGH1965 12]

The reply of Arakasi confuses me. Apparently smart optimization uses hashes, but you can't determine hashes without opening files. Does this mean that even skipped files in terms of scanning are not skipped completely, since they have to be opened to detemine hashes?

Edited February 5, 2014 by AGH1965

[Marcos 5,074]

Skipping files merely means omitting them from scanning.

[Arakasi 549]

Hi AGH,

 

As Marcos stated, we are talking about files that do not have to be scanned by the engine.

The question at hand would most likely lead to proprietary techniques, something ESET would not be interested in divulging.

 

There are several tactics that can be used to get the information required programmatically.

My programming experience is with .NET and i can tell you that you can easily perform some of this using System.IO.Stream.

Beginning with an asynchronous read operation, you can pull whatever data you need from a file.

If you compute hash, it is going to be in the form of a byte, bytes, or if multiple, byte array. *This can then be converted to whatever datatype you would like to use for comparison if different.

Simply using the namespace System.Security.Cryptography has a public function ComputeHash for byte or stream. Add the System.Security.Cryptography.MD5 and you have a public GetHashCode.

 

All this and the comparing can be done in the background and asynchronously.

I do know that it has been said before you don't need .net framework for the software, and most of it is written in assembly language.

My examples above is most likely not the method they are using, and i'm pretty sure Marcos reference to LiveGrid is where the comparing is done, as not to take up system resources.

So that's another step that does not need to be done by the system, increasing scanning speed.

 

So IF the files are opened, its not in the same context or manor that you would normally see opened on the screen, with a PID, and located in your taskmanager as running.

Most likely in a similar manner as streaming. 

 

A little more info on streaming to read write with files

 

*Keep in mind this is the way i would do it, and does not reflect ESET's methods. I do not know, and have never been told how their programs work. I would like their technologies to remain private.

Edited February 6, 2014 by Arakasi

[AGH1965 12]

@Marcos: Thanks for answering my question!

 

@Arakasi: Why do you use so many words if you don't have a clue?

[Arakasi 549]

I assumed you would understand my post.

I was wrong.

You have your answer.

This was origionally Raynors thread.

Time to move on.

Additional questions? Create a new Thread/Post.

Thanks