scottls59901 1 Posted June 22, 2021 Share Posted June 22, 2021 FYI- After an earlier post, I stopped doing daily scheduled scans, and my system is faster. Now I'm wondering when to do a Manual scan?- Other AV's I've had ran better, if I scanned after Windows Updates, and program installations... Link to comment Share on other sites More sharing options...
bEeReE 4 Posted June 22, 2021 Share Posted June 22, 2021 What do you mean with "system is faster"? Do you mean that you noted performance issues while scans were running in the background (1) or after the scans just because you run a scan before (2)? Case 1: I would not run daily scans as this is way too much. I have configured smart scans excluding files larger a certain file size for Macbooks every 4 months. For Windows scans without the registry and archives every 14 days. Idle scans are active as well including the registry etc. You can also reduce the scan priority per scan profile in the ThreatSense parameters. I do not run Deep Scans. Case 2: Would be unlogical or more related to an issue. In my case it would be also beneficial if @Marcos could shortly explain how Smart Optimization is actually being implemented in the scanner: If files are scanned, clean and not changed afterwards, will such being scanned again under certain conditions (e.g. new virus signature updates or others (which exactly?)? If yes, by the on-demand as well as realtime scanner or is this differently triggered? That's probably a difference to other scanners which provide an explicit option "scanning new or modified files only". If files are scanned with an on-demand scan and smart optimization is turned on, does this also affect the re-scanning of files in other on-demand scans or the realtime scanner? Or ist it just like an incremental scanning per scan job? Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 22, 2021 Share Posted June 22, 2021 This Eset KB article: https://support.eset.com/en/kb2909-advanced-scanning-options-in-eset-windows-home-products should answer questions in regards to Eset on-demand scanning in regards to Smart scan profile and optimization. When Eset signatures are updated, a default scheduled scan is run. Obviously, it is only checking critical files and system areas normally targeted by malware. Refer to ThreatSense settings under real-time protection settings in regards to how files are processed dynamically. For example, all executable's are scanned upon access. Link to comment Share on other sites More sharing options...
bEeReE 4 Posted June 22, 2021 Share Posted June 22, 2021 1 hour ago, itman said: This Eset KB article: https://support.eset.com/en/kb2909-advanced-scanning-options-in-eset-windows-home-products should answer questions in regards to Eset on-demand scanning in regards to Smart scan profile and optimizationn No, it's not answered. The linked article states clearly that smart optimization will NOT scan already scanned files again. The article does however not refer to what is happening once signatures are updated etc. and what's now exactly being scanned. If I perform an on-demand scan with smart optimization turned on and after that another again, it requires the same amount of time and is not quite faster (if the description had been correct, it would not scan anything again). There are also other statements: This help for version 14 does no longer refer to already scanned files etc. but more to an intelligent way of scanning: https://help.eset.com/eis/14/en-US/idh_config_threat_sense.html?zoom_highlightsub=smart+optimization However this related to scan profiles describes the smart optimization in the way of not scanning when files have already been scanned: https://help.eset.com/eis/14/en-US/work_avas_ondemand_profiles.html And in a version for End Point Protectionn it was described similarly but that already scanned files are excluded until new signatures have been updated. My questions for Marcos are also not yet answered Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 22, 2021 Share Posted June 22, 2021 The best Eset provided explanation I could find is: Quote To ensure a minimal system footprint when using real-time protection, files that have already been scanned are not scanned repeatedly (unless they have been modified). Files are scanned again immediately after each detection engine update. This behavior is controlled using Smart optimization. If this Smart optimization is disabled, all files are scanned each time they are accessed. To modify this setting, press F5 to open Advanced setup and expand Detection engine > Real-time file system protection. Click ThreatSense parameter > Other and select or deselect Enable Smart optimization. https://help.eset.com/eav/14/en-US/idh_config_amon.html The first thing to note is the "Smart optimization" setting applies to ThreatSense protection settings. ThreatSense settings exist in multiple Eset feature setting areas. The above quoted reference is for Real-time protection. In that context, I assume that a file, executable, etc. will be re-scanned after a signature update but of course, only if the file is accessed in some way. As far as On-Demand scanning is concerned, the signature update factor is not applicable. Eset is scanning with the latest signature database. What is "murky" is what does Smart optimization do in this context. My best guess is if a file was recently scanned via Real-time protection, it will be skipped in on-Demand scanning. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted June 22, 2021 Administrators Share Posted June 22, 2021 If you run another scan of the same files without the modules being updated in the mean time, most of the files should not be scanned again. After a module update only whitelisted files will be omitted from re-scan. Link to comment Share on other sites More sharing options...
scottls59901 1 Posted June 23, 2021 Author Share Posted June 23, 2021 It doesn't appear that there is an uncomplicated answer, to my question? - I have a Very Fast desktop computer- 5ghz CPU, 5x optical SSD, and normal scans only take 3-4min. Oh Well... Link to comment Share on other sites More sharing options...
bEeReE 4 Posted June 23, 2021 Share Posted June 23, 2021 2 hours ago, scottls59901 said: It doesn't appear that there is an uncomplicated answer, to my question? - I have a Very Fast desktop computer- 5ghz CPU, 5x optical SSD, and normal scans only take 3-4min. Oh Well... We do not exactly know how smart optimization works unless someone from Eset gives a more detailed reply. But my conclusion so far is with focus on scanning speed, it doesn't matter when or if scans are being performed because they won't speed up other/subsequent scans or the realtime scanner much, especially if signatures have been updated between. You can scan whenever you want just to ensure that your full data population is clean (e.g. automatically with the highest possible time interval or manually once half-year/year). with focus on security, it does probably not make that much sense to perform on-demand scans at all because Eset is re-scanning everything again and again with the real-time scanner when files are created/opened/launcehd/modified etc. (assuming that you du not configure the real-time scanner to a lesser protection level than the default settings). the difference to other scanners may be, that those are handling re-scanning differently (e.g. heavily scanning the first time, but no longer the second time). In this scenario, you can gain improvements for the real-time scanner when scanning first with the on-demand. And you may want to re-scan all from time to time when you have newer signatures available. Link to comment Share on other sites More sharing options...
bEeReE 4 Posted June 23, 2021 Share Posted June 23, 2021 10 hours ago, itman said: As far as On-Demand scanning is concerned, the signature update factor is not applicable. Eset is scanning with the latest signature database. What is "murky" is what does Smart optimization do in this context. My best guess is if a file was recently scanned via Real-time protection, it will be skipped in on-Demand scanning. Guess at the end it is more a question of smart optimization turned off vs. on, which will exclude certain file types / whitelisted files etc. from scanning. But the fact that files have already been scanned is not taken that much into consideration. Now we can debate about the pro and cons 🙂 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted June 23, 2021 Administrators Share Posted June 23, 2021 Scanned c:\windows\system32 folder. With Smart optimization after update: 15536 files scanned in 20 sec. With Smart optimization, 2nd scan: 15417 files scanned in 1 sec. Without Smart optimization: 15548 files scanned in 266 sec. Link to comment Share on other sites More sharing options...
bEeReE 4 Posted June 23, 2021 Share Posted June 23, 2021 3 hours ago, Marcos said: Scanned c:\windows\system32 folder. With Smart optimization after update: 15536 files scanned in 20 sec. With Smart optimization, 2nd scan: 15417 files scanned in 1 sec. Without Smart optimization: 15548 files scanned in 266 sec. So what's your concrete suggestion for scottls59901? Should he scan frequently or after windows updates in order to improve the performance of the real-time scanner? For the on-demand scanner I can confirm your speed behavior for System32, but not for e.g. files in the user directory. Tested with c\Users\username. Such are scanned in detail the first, then ultra fast the next time if Smart Optimization is enabled. But once the computer was restarted, it takes again the long time. For System32 it remains fast even with new signatures and a restart in my case. Worth to test on your site? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted June 23, 2021 Administrators Share Posted June 23, 2021 Frequent on-demand scans are not recommended; whole disk scans will always time time and thus should be run when the computer is idle. Personally I never schedule full disk scans; there are other scanners that ensure that potential malware is detected and blocked. Quote For the on-demand scanner I can confirm your speed behavior for System32, but not for e.g. files in the user directory. That's perfectly ok. I assume you don't have many whitelisted files in the user folder (e.g. Microsoft signed files) so they are re-scanned after a module update. Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 23, 2021 Share Posted June 23, 2021 6 hours ago, bEeReE said: Guess at the end it is more a question of smart optimization turned off vs. on, which will exclude certain file types / whitelisted files etc. from scanning. But the fact that files have already been scanned is not taken that much into consideration. Now we can debate about the pro and cons 🙂 As a test, I disabled Smart optimization in real-time settings. On my device, I have not noticed any performance degradation. As such, I will leave it disabled which will ensure all files upon access are scanned. Link to comment Share on other sites More sharing options...
bEeReE 4 Posted June 23, 2021 Share Posted June 23, 2021 2 hours ago, itman said: As a test, I disabled Smart optimization in real-time settings. On my device, I have not noticed any performance degradation. As such, I will leave it disabled which will ensure all files upon access are scanned. How do you measure that for the real-time scanner? If you want the best performance-security ratio, I would leave Smart Optimization on. The thread is about optimizing, not maximizing security 😀 Link to comment Share on other sites More sharing options...
itman 1,755 Posted June 23, 2021 Share Posted June 23, 2021 (edited) 3 hours ago, bEeReE said: The thread is about optimizing, not maximizing security 😀 Correct. But by having this discussion, I realized max. Eset security is achieve when Smart optimization is disabled for real-time scanning. I will always opt for security over performance. BTW - did observe a slight lag at user sign on time but livable on my part. This is expected since largest volume of files are being accessed and being scanned by real-time protection at this time. Edited June 23, 2021 by itman Link to comment Share on other sites More sharing options...
scottls59901 1 Posted June 24, 2021 Author Share Posted June 24, 2021 11 hours ago, bEeReE said: How do you measure that for the real-time scanner? If you want the best performance-security ratio, I would leave Smart Optimization on. The thread is about optimizing, not maximizing security 😀 I'm confused!?- 1. I have No whitelisted files (I'm a novice user). 2. Is Smart Optimization On by Default (I never messed with it), and if Not exactly how do I turn it on? Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,288 Posted June 24, 2021 Administrators Solution Share Posted June 24, 2021 1 hour ago, scottls59901 said: I'm confused!?- 1. I have No whitelisted files (I'm a novice user). 2. Is Smart Optimization On by Default (I never messed with it), and if Not exactly how do I turn it on? 1, Surely you have. Many of the system files are whitelisted, e.g. C:\Windows\System32\svchost.exe, you just can't see it anywhere. For instance if a file comes from Microsoft and has a valid digital certificate, it should be whitelisted. 2, Smart optimization is turned on by default for real-time protection and Smart scan, startup scans and idle-state scan. Smart optimization is safe and files that are omitted from scanning have already been scanned using the current modules or they are trusted (e.g. a file from MS with a valid digital signature is very unlikely to be malicious). Link to comment Share on other sites More sharing options...
bEeReE 4 Posted June 24, 2021 Share Posted June 24, 2021 1 hour ago, scottls59901 said: I'm confused!?- 1. I have No whitelisted files (I'm a novice 2 minutes ago, Marcos said: 1, Surely you have. Many of the system files are whitelisted, e.g. C:\Windows\System32\svchost.exe, you just can't see it anywhere. For instance if a file comes from Microsoft and has a valid digital certificate, it should be whitelisted.. Which is in my point of view perfectly fine (don't worry that your computer is not safe) . Just to give a little bit more sense: In the context of this thread, whitelisted means the files that are somehow excluded from scanning by a mechanism provided by Eset and which does not require manual configuration. As explained e.g. the files from Microsoft that are digitally signed. Such files are the same on all Computers with a specific software version. Eset can check the digital signature and file for validity and integrity - maybe also with additional cross-checks and a first validation during the initial scan. If such files have not been modified, the files must be nearly 100% free from malware and do not require re-scans all the time. Eset may also implement additional mechanisms like creating independent Hash values of a file during the first scan and exclude certain specific files (based on reputation, file types or whatever) for the next scans. Or they may apply other mechanisms. They can also dynamically adjust the behavior in the updates and react to specific conditions. However, how Smart Optimization's conditions are implemented in detail is not yet explained in this thread nor did I found detailed supporting documentation. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted June 24, 2021 Administrators Share Posted June 24, 2021 Unfortunately we do not provide detailed description of how our internal mechanisms work like probably no other AV vendor does. The publicly available information is in the documentation and KBs. What is important to know is that Smart optimization provides a safe way of omitting files from scan which substantially speeds up scans. Link to comment Share on other sites More sharing options...
bEeReE 4 Posted June 24, 2021 Share Posted June 24, 2021 26 minutes ago, Marcos said: like probably no other AV vendor does. Totally agree. Your documentation, support and forum etc. is also not standard in the industry and was/is - next to the scanner's performance - an underlining to stay with Eset, in my point of view. I think the source of such discussions here in contrast to other scanners is, that Eset allows for much more detailed configuration (positively as well as negatively viewed) You do not even think about some topics when using others, as there is no option to play around. Link to comment Share on other sites More sharing options...
scottls59901 1 Posted June 25, 2021 Author Share Posted June 25, 2021 18 hours ago, Marcos said: 1, Surely you have. Many of the system files are whitelisted, e.g. C:\Windows\System32\svchost.exe, you just can't see it anywhere. For instance if a file comes from Microsoft and has a valid digital certificate, it should be whitelisted. 2, Smart optimization is turned on by default for real-time protection and Smart scan, startup scans and idle-state scan. Smart optimization is safe and files that are omitted from scanning have already been scanned using the current modules or they are trusted (e.g. a file from MS with a valid digital signature is very unlikely to be malicious). Got to thinking about my original Topic Question?- Does this mean that files are automatically scanned/whitelisted... during normal operating (i.e. after a Windows Update, or a new program installation...?), Or do I need to do a Manual Scan (Just a Normal Scan, Or a different kind 0f Scan?- I Never get a 19sec scan..., but Always a 3-4min scan?)? How do I speed things up? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted June 25, 2021 Administrators Share Posted June 25, 2021 You can't speed up scans more than it already is with Smart optimization on. Link to comment Share on other sites More sharing options...
scottls59901 1 Posted June 26, 2021 Author Share Posted June 26, 2021 21 hours ago, Marcos said: You can't speed up scans more than it already is with Smart optimization on. This answers my question about faster scans, but what about this?- Does this mean that files are automatically scanned/whitelisted... during normal operating (i.e. after a Windows Update, or a new program installation...?), Or do I need to do a Manual Scan (Just a Normal Scan, Or a different kind 0f Scan?- Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted June 26, 2021 Administrators Share Posted June 26, 2021 Files are whitelisted at ESET's backend, you cannot affect whitelisting. What you can do is to create performance exception to prevent certain folders or files from being scanned, however, this creates a potential security hole. Link to comment Share on other sites More sharing options...
Outcast 4 Posted June 28, 2021 Share Posted June 28, 2021 On 6/24/2021 at 1:19 AM, Marcos said: [I]f a file comes from Microsoft and has a valid digital certificate, it should be whitelisted. On 6/26/2021 at 4:48 AM, Marcos said: Files are whitelisted at ESET's backend, you cannot affect whitelisting. This way of doing things can be problematic. I hope ESET puts control back in users' hands: Microsoft admits to signing rootkit malware Link to comment Share on other sites More sharing options...
Recommended Posts