Jump to content

When to do a Manual Scan?


Go to solution Solved by Marcos,

Recommended Posts

FYI- After an earlier post, I stopped doing daily scheduled scans, and my system is faster.

Now I'm wondering when to do a Manual scan?-

Other AV's I've had ran better, if I scanned after Windows Updates, and program installations...

 

Link to comment
Share on other sites

What do you mean with "system is faster"? Do you mean that you noted performance issues while scans were running in the background (1) or after the scans just because you run a scan before (2)?

  • Case 1: I would not run daily scans as this is way too much. I have configured smart scans excluding files larger a certain file size for Macbooks every 4 months. For Windows scans without the registry and archives every 14 days. Idle scans are active as well including the registry etc. You can also reduce the scan priority per scan profile in the ThreatSense parameters. I do not run Deep Scans.
  • Case 2: Would be unlogical or more related to an issue.

In my case it would be also beneficial if @Marcos could shortly explain how Smart Optimization is actually being implemented in the scanner:

  • If files are scanned, clean and not changed afterwards, will such being scanned again under certain conditions (e.g. new virus signature updates or others (which exactly?)? If yes, by the on-demand as well as realtime scanner or is this differently triggered? 
    That's probably a difference to other scanners which provide an explicit option "scanning new or modified files only". 
  • If files are scanned with an on-demand scan and smart optimization is turned on, does this also affect the re-scanning of files in other on-demand scans or the realtime scanner? Or ist it just like an incremental scanning per scan job?

 

 

Link to comment
Share on other sites

This Eset KB article: https://support.eset.com/en/kb2909-advanced-scanning-options-in-eset-windows-home-products should answer questions in regards to Eset on-demand scanning in regards to Smart scan profile and optimization.

When Eset signatures are updated, a default scheduled scan is run. Obviously, it is only checking critical files and system areas normally targeted by malware.

Refer to ThreatSense settings under real-time protection settings in regards to how files are processed dynamically. For example, all executable's are scanned upon access.

Link to comment
Share on other sites

1 hour ago, itman said:

This Eset KB article: https://support.eset.com/en/kb2909-advanced-scanning-options-in-eset-windows-home-products should answer questions in regards to Eset on-demand scanning in regards to Smart scan profile and optimizationn

No, it's not answered. The linked article states clearly that smart optimization will NOT scan already scanned files again. The article does however not refer to what is happening once signatures are updated etc. and what's now exactly being scanned. If I perform an on-demand scan with smart optimization turned on and after that another again, it requires the same amount of time and is not quite faster (if the description had been correct, it would not scan anything again).

There are also other statements:

My questions for Marcos are also not yet answered ;)

 

 

Link to comment
Share on other sites

The best Eset provided explanation I could find is:

Quote

To ensure a minimal system footprint when using real-time protection, files that have already been scanned are not scanned repeatedly (unless they have been modified). Files are scanned again immediately after each detection engine update. This behavior is controlled using Smart optimization. If this Smart optimization is disabled, all files are scanned each time they are accessed. To modify this setting, press F5 to open Advanced setup and expand Detection engine > Real-time file system protection. Click ThreatSense parameter > Other and select or deselect Enable Smart optimization.

https://help.eset.com/eav/14/en-US/idh_config_amon.html

The first thing to note is the "Smart optimization" setting applies to ThreatSense protection settings. ThreatSense settings exist in multiple Eset feature setting areas. The above quoted reference is for Real-time protection. In that context, I assume that a file, executable, etc. will be re-scanned after a signature update but of course, only if the file is accessed in some way.
 
As far as On-Demand scanning is concerned, the signature update factor is not applicable. Eset is scanning with the latest signature database. What is "murky" is what does Smart optimization do in this context. My best guess is if a file was recently scanned via Real-time protection, it will be skipped in on-Demand scanning.
Link to comment
Share on other sites

  • Administrators

If you run another scan of the same files without the modules being updated in the mean time, most of the files should not be scanned again. After a module update only whitelisted files will be omitted from re-scan.

Link to comment
Share on other sites

It doesn't appear that there is an uncomplicated answer, to my question? -

I have a Very Fast desktop computer- 5ghz CPU, 5x optical SSD, and normal scans only take 3-4min.

Oh Well...

Link to comment
Share on other sites

2 hours ago, scottls59901 said:

It doesn't appear that there is an uncomplicated answer, to my question? -

I have a Very Fast desktop computer- 5ghz CPU, 5x optical SSD, and normal scans only take 3-4min.

Oh Well...

We do not exactly know how smart optimization works unless someone from Eset gives a more detailed reply. But my conclusion so far is

  • with focus on scanning speed, it doesn't matter when or if scans are being performed because they won't speed up other/subsequent scans or the realtime scanner much, especially if signatures have been updated between. You can scan whenever you want just to ensure that your full data population is clean (e.g. automatically with the highest possible time interval or manually once half-year/year). 
  • with focus on security, it does probably not make that much sense to perform on-demand scans at all because Eset is re-scanning everything again and again with the real-time scanner when files are created/opened/launcehd/modified etc. (assuming that you du not configure the real-time scanner to a lesser protection level than the default settings). 
  • the difference to other scanners may be, that those are handling re-scanning differently (e.g. heavily scanning the first time, but no longer the second time). In this scenario, you can gain improvements for the real-time scanner when scanning first with the on-demand. And you may want to re-scan all from time to time when you have newer signatures available.
Link to comment
Share on other sites

10 hours ago, itman said:

As far as On-Demand scanning is concerned, the signature update factor is not applicable. Eset is scanning with the latest signature database. What is "murky" is what does Smart optimization do in this context. My best guess is if a file was recently scanned via Real-time protection, it will be skipped in on-Demand scanning.

Guess at the end it is more a question of smart optimization turned off vs. on, which will exclude certain file types / whitelisted files etc. from scanning. But the fact that files have already been scanned is not taken that much into consideration. Now we can debate about the pro and cons 🙂

Link to comment
Share on other sites

  • Administrators

Scanned c:\windows\system32 folder.

With Smart optimization after update:
15536 files scanned in 20 sec.

With Smart optimization, 2nd scan:
15417 files scanned in 1 sec.

Without Smart optimization:
15548 files scanned in 266 sec.

Link to comment
Share on other sites

3 hours ago, Marcos said:

Scanned c:\windows\system32 folder.

With Smart optimization after update:
15536 files scanned in 20 sec.

With Smart optimization, 2nd scan:
15417 files scanned in 1 sec.

Without Smart optimization:
15548 files scanned in 266 sec.

So what's your concrete suggestion for scottls59901? Should he scan frequently or after windows updates in order to improve the performance of the real-time scanner?

For the on-demand scanner I can confirm your speed behavior for System32, but not for e.g. files in the user directory. Tested with c\Users\username. Such are scanned in detail the first, then ultra fast the next time if Smart Optimization is enabled. But once the computer was restarted, it takes again the long time. For System32 it remains fast even with new signatures and a restart in my case. Worth to test on your site?

Link to comment
Share on other sites

  • Administrators

Frequent on-demand scans are not recommended; whole disk scans will always time time and thus should be run when the computer is idle. Personally I never schedule full disk scans; there are other scanners that ensure that potential malware is detected and blocked.

Quote

For the on-demand scanner I can confirm your speed behavior for System32, but not for e.g. files in the user directory.

That's perfectly ok. I assume you don't have many whitelisted files in the user folder (e.g. Microsoft signed files) so they are re-scanned after a module update.

Link to comment
Share on other sites

6 hours ago, bEeReE said:

Guess at the end it is more a question of smart optimization turned off vs. on, which will exclude certain file types / whitelisted files etc. from scanning. But the fact that files have already been scanned is not taken that much into consideration. Now we can debate about the pro and cons 🙂

As a test, I disabled Smart optimization in real-time settings. On my device, I have not noticed any performance degradation. As such, I will leave it disabled which will ensure all files upon access are scanned.

Link to comment
Share on other sites

2 hours ago, itman said:

As a test, I disabled Smart optimization in real-time settings. On my device, I have not noticed any performance degradation. As such, I will leave it disabled which will ensure all files upon access are scanned.

How do you measure that for the real-time scanner? If you want the best performance-security ratio, I would leave Smart Optimization on. The thread is about optimizing, not maximizing security 😀

 

Link to comment
Share on other sites

3 hours ago, bEeReE said:

The thread is about optimizing, not maximizing security 😀

Correct.

But by having this discussion, I realized max. Eset security is achieve when Smart optimization is disabled for real-time scanning. I will always opt for security over performance.

BTW - did observe a slight lag at user sign on time but livable on my part. This is expected since largest volume of files are being accessed and being scanned by real-time protection at this time.

Edited by itman
Link to comment
Share on other sites

11 hours ago, bEeReE said:

How do you measure that for the real-time scanner? If you want the best performance-security ratio, I would leave Smart Optimization on. The thread is about optimizing, not maximizing security 😀

 

I'm confused!?-

1. I have No whitelisted files (I'm a novice user).

2. Is Smart Optimization On by Default (I never messed with it), and if Not exactly how do I turn it on?

Link to comment
Share on other sites

  • Administrators
  • Solution
1 hour ago, scottls59901 said:

I'm confused!?-

1. I have No whitelisted files (I'm a novice user).

2. Is Smart Optimization On by Default (I never messed with it), and if Not exactly how do I turn it on?

1, Surely you have. Many of the system files are whitelisted, e.g. C:\Windows\System32\svchost.exe, you just can't see it anywhere. For instance if a file comes from Microsoft and has a valid digital certificate, it should be whitelisted.

2, Smart optimization is turned on by default for real-time protection and Smart scan, startup scans and idle-state scan.

Smart optimization is safe and files that are omitted from scanning have already been scanned using the current modules or they are trusted (e.g. a file from MS with a valid digital signature is very unlikely to be malicious).

Link to comment
Share on other sites

1 hour ago, scottls59901 said:

I'm confused!?-

1. I have No whitelisted files (I'm a novice 

2 minutes ago, Marcos said:

1, Surely you have. Many of the system files are whitelisted, e.g. C:\Windows\System32\svchost.exe, you just can't see it anywhere. For instance if a file comes from Microsoft and has a valid digital certificate, it should be whitelisted..

 

Which is in my point of view perfectly fine (don't worry that your computer is not safe) :). Just to give a little bit more sense: 

In the context of this thread, whitelisted means the files that are somehow excluded from scanning by a mechanism provided by Eset and which does not require manual configuration. As explained e.g. the files from Microsoft that are digitally signed. Such files are the same on all Computers with a specific software version. Eset can check the digital signature and file for validity and integrity - maybe also with additional cross-checks and a first validation during the initial scan. If such files have not been modified, the files must be nearly 100% free from malware and do not require re-scans all the time. Eset may also implement additional mechanisms like creating independent Hash values of a file during the first scan and exclude certain specific files (based on reputation, file types or whatever) for the next scans. Or they may apply other mechanisms. They can also dynamically adjust the behavior in the updates and react to specific conditions. 

However, how Smart Optimization's conditions are implemented in detail is not yet explained in this thread nor did I found detailed supporting documentation. 

Link to comment
Share on other sites

  • Administrators

Unfortunately we do not provide detailed description of how our internal mechanisms work like probably no other AV vendor does. The publicly available information is in the documentation and KBs. What is important to know is that Smart optimization provides a safe way of omitting files from scan which substantially speeds up scans.

Link to comment
Share on other sites

26 minutes ago, Marcos said:

 like probably no other AV vendor does.

Totally agree. Your documentation, support and forum etc. is also not standard in the industry and was/is - next to the scanner's performance - an underlining to stay with Eset, in my point of view. 

I think the source of such discussions here in contrast to other scanners is, that Eset allows for much more detailed configuration (positively as well as negatively viewed) ;) You do not even think about some topics when using others, as there is no option to play around.

Link to comment
Share on other sites

18 hours ago, Marcos said:

1, Surely you have. Many of the system files are whitelisted, e.g. C:\Windows\System32\svchost.exe, you just can't see it anywhere. For instance if a file comes from Microsoft and has a valid digital certificate, it should be whitelisted.

2, Smart optimization is turned on by default for real-time protection and Smart scan, startup scans and idle-state scan.

Smart optimization is safe and files that are omitted from scanning have already been scanned using the current modules or they are trusted (e.g. a file from MS with a valid digital signature is very unlikely to be malicious).

Got to thinking about my original Topic Question?-

Does this mean that files are automatically scanned/whitelisted... during normal operating  (i.e. after a Windows Update, or a new program installation...?), Or do I need to do a Manual Scan (Just a Normal Scan, Or a different kind 0f Scan?-

I Never get a 19sec scan..., but Always a 3-4min scan?)?

How do I speed things up?

Link to comment
Share on other sites

21 hours ago, Marcos said:

You can't speed up scans more than it already is with Smart optimization on.

This answers my question about faster scans, but what about this?-

Does this mean that files are automatically scanned/whitelisted... during normal operating  (i.e. after a Windows Update, or a new program installation...?), Or do I need to do a Manual Scan (Just a Normal Scan, Or a different kind 0f Scan?-

Link to comment
Share on other sites

  • Administrators

Files are whitelisted at ESET's backend, you cannot affect whitelisting. What you can do is to create performance exception to prevent certain folders or files from being scanned, however, this creates a potential security hole.

Link to comment
Share on other sites

On 6/24/2021 at 1:19 AM, Marcos said:

[I]f a file comes from Microsoft and has a valid digital certificate, it should be whitelisted.

 

On 6/26/2021 at 4:48 AM, Marcos said:

Files are whitelisted at ESET's backend, you cannot affect whitelisting.

This way of doing things can be problematic. I hope ESET puts control back in users' hands:

Microsoft admits to signing rootkit malware

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...