Jump to content

Scanning take too long to finish


Go to solution Solved by Marcos,

Recommended Posts

I do still need to try to significantly improve the time it takes to do a full scan though. I’ve spoken with Support about it, but no resolution yet. The last scan on one of the PCs took over 16.5 hours and scanned 5,694,043 objects. How can there be that many of anything on a PC? Maybe there are some areas that don’t need to be scanned?

Hi ESET Team,  see the above information from our client

Currently, he has scheduled a scan from his machine, Any thoughts?

Link to comment
Share on other sites

  • Administrators

Scanning large archives and disk images may take hours. Try running a scan with archives disabled.

Link to comment
Share on other sites

I will tell the client to disable Archives 

 

see the below information from the client :

 

 

I can confirm I don’t have any external devices connected. Yes, I do have a lot of browser windows open and can clear that cache again, and I’ll take a look at CCleaner, thanks.

 

However, as an example, in the last two scans performed, the first scanned 3.49 million objects, and the second just a week later scanned 5.69 million objects, taking 16.5 hours. These were both “Smart Scans” and I’d really like to know how a PC can pick up 2.5 million extra items in a week when it hasn’t been used much. Something seems very odd. How does a “Smart Scan” operate? Is it not ignoring items that haven’t altered since the previous scan, or similar? So in the absence of major change on the PC, the number of objects scanned really shouldn’t be dramatically increasing.

 

On another front, are there possibly some files and folders that can be excluded from a weekly scan perhaps? The whole PC is scanned each time.

 

Really appreciate your help with this. I’ve just renewed ESET for another two years, but I do have this lingering serious concern about its impact on the system.

Link to comment
Share on other sites

  • Administrators

We've recently added support for new versions of some packers so it's possible that now we unpack and scan more.  Please let us know how long a scan with disabled archives / SFX archives takes.

Should it still scan too many files, they could create a Procmon log with a filter for file events, the ekrn.exe process and enable dropping of filtered events to keep the log as small as possible. Prior to running Procmon, please have them disable Protected service in the HIPS setup and reboot the machine. After running a scan and saving the log, re-enable it and reboot the machine again.

image.png

Link to comment
Share on other sites

Hi ESET Team, 

Can you help me to response on this case :#CASE_00727712

#

 I’ve put in a fair bit of time working through the suggestions you sent for ESET configuration parameters, and I can see the potential for making a big difference, thanks. I did three back-to-back scans yesterday through to today. With the changed ThreatSense parameters, the first one only had to scan 874,000 objects, instead of over 5.69 million like my last weekly scan (!), and it took 3.75 hours. Testing a variety of options, the other two scans ran for up to nearly 7.5 hours. Still a good improvement from 16.5 hours, but I need to double check some things with you about the scan settings please, so I can make sure future weekly scans are as efficient as possible, without compromising system security. My questions are highlighted in blue, with proposed settings underlined …

 

  1. I found that my normal weekly scans had been scanning Archives, so I disabled that in all these latest scans as you suggested, and I guess that’s what made a big difference. I’ll make sure Archives remain disabled in future weekly scans, thanks.
  2. I noticed that the standard Smart Scan profile, by default, scans Runtime Packers, but based on the info you sent, I tried disabling that in today’s first scan as well. Then I wondered what difference it would have made if it had been enabled like in a normal Smart Scan, so I enabled it in the next scans to see how much time that added on etc. It nearly doubled the scan time! and increased the number of scanned objects by 1,279,000! so it would certainly be a bonus to exclude Runtime Packers as well as Archives. Please just confirm though that there’s no loss of system security if weekly malware scans don’t scan Runtime Packers, Gil?
  3. When Runtime Packers were included, the scan found a variant of “EFI/CompuTrace.A” in the UEFI Partition, which has been showing up in weekly scans for some time now, but from what I can find, that doesn’t seem to be an issue of concern. Is that correct?
  4. I tried turning off Advanced Heuristics in today’s first scan too, to test a minimalist strategy, but I guess if it’s enabled by default in a Smart Scan, I probably shouldn’t turn that off. So I enabled it again in the other scans. Should Advanced Heuristics be enabled in weekly malware scans, ?
  5. One other thing I thought may have been impacting the run-time of weekly scans was that the “Preserve Last Access Timestamp” setting was ON. It seems it’s OFF as the default in a Smart Scan profile, and I thought that might have a bearing on the process used by Smart Scan, so I’ve turned that off for all of these latest scans. Should Preserve Last Access Timestamp stay off? and would that have made any difference anyway?
  6. To be able to properly experience the benefit of “Smart” scanning, the third scan used identical parameters to the second scan, and it was run straight after the second scan (with only an annoying but unavoidable auto Windows Update happening between the two). “Enable Smart Optimization” was definitely selected in both scan profiles.

    The latter scan still took 6.5 hours, which was only 10% quicker than the previous one … so something still doesn’t feel right about “Smart” Scanning. Shouldn’t the Smart Scan have excluded almost all of the objects scanned just prior? The scans were run back-to-back, so surely the last scan should have been much, much quicker than the previous one as a Smart Scan because the digital signatures, time-stamps etc would have shown the files were clean and hadn’t been changed between the scans. Can you help me understand this please ? It seems to be a key potential performance issue.
Link to comment
Share on other sites

Posted (edited)

Can you help me with the above information.

Do i need to collect logs?

 

Cheers, 

Gil 

Edited by Microbe
Add details
Link to comment
Share on other sites

  • Administrators
41 minutes ago, Microbe said:

I found that my normal weekly scans had been scanning Archives, so I disabled that in all these latest scans as you suggested, and I guess that’s what made a big difference. I’ll make sure Archives remain disabled in future weekly scans, thanks.

If the user has disk images and other big archives in a specific folder(s) on a disk, it'd be better just not to select this folder(s) in scan targets rather then disabling archive scanning completely.

41 minutes ago, Microbe said:

I noticed that the standard Smart Scan profile, by default, scans Runtime Packers, but based on the info you sent, I tried disabling that in today’s first scan as well. Then I wondered what difference it would have made if it had been enabled like in a normal Smart Scan, so I enabled it in the next scans to see how much time that added on etc. It nearly doubled the scan time! and increased the number of scanned objects by 1,279,000! so it would certainly be a bonus to exclude Runtime Packers as well as Archives. Please just confirm though that there’s no loss of system security if weekly malware scans don’t scan Runtime Packers, Gil

Unlike archives, runtime packers are used to compress executable and make them smaller. Such files are unpacked in memory upon execution. Therefore it is not wise to disable runtime packers although the files should be still scanned / unpacked by advanced heuristics.

41 minutes ago, Microbe said:

When Runtime Packers were included, the scan found a variant of “EFI/CompuTrace.A” in the UEFI Partition, which has been showing up in weekly scans for some time now, but from what I can find, that doesn’t seem to be an issue of concern. Is that correct?

As far as EFI/Computrace is concerned, we recommend creating a detection exclusion (https://support.eset.com/en/kb6567). However, you can try upgrading the UEFI firmware to the latest version available in case the vendor has removed CompuTrace in the mean time.

41 minutes ago, Microbe said:

I tried turning off Advanced Heuristics in today’s first scan too, to test a minimalist strategy, but I guess if it’s enabled by default in a Smart Scan, I probably shouldn’t turn that off. So I enabled it again in the other scans. Should Advanced Heuristics be enabled in weekly malware scans, ?

Advanced heuristics is crucial for detection of malware. Disabling it would deteriorate detection capabilities by a great extent. It's always turned on by default except scan on execution.

41 minutes ago, Microbe said:
  1. One other thing I thought may have been impacting the run-time of weekly scans was that the “Preserve Last Access Timestamp” setting was ON. It seems it’s OFF as the default in a Smart Scan profile, and I thought that might have a bearing on the process used by Smart Scan, so I’ve turned that off for all of these latest scans. Should Preserve Last Access Timestamp stay off? and would that have made any difference anyway?

This setting is there mainly for backup programs that might consider files changed after scanning if the timestamp was not preserved.

41 minutes ago, Microbe said:

To be able to properly experience the benefit of “Smart” scanning, the third scan used identical parameters to the second scan, and it was run straight after the second scan (with only an annoying but unavoidable auto Windows Update happening between the two). “Enable Smart Optimization” was definitely selected in both scan profiles.

The latter scan still took 6.5 hours, which was only 10% quicker than the previous one … so something still doesn’t feel right about “Smart” Scanning. Shouldn’t the Smart Scan have excluded almost all of the objects scanned just prior? The scans were run back-to-back, so surely the last scan should have been much, much quicker than the previous one as a Smart Scan because the digital signatures, time-stamps etc would have shown the files were clean and hadn’t been changed between the scans. Can you help me understand this please ? It seems to be a key potential performance issue.

Complete disk scans will always take time and won't complete in a few minutes. If modules have been updated between two scans, the cache will be cleared. Otherwise it could happen that previously undetected malware for which a detection has been added in the last update would not be detected if the file was not re-scanned. With Smart optimization enabled many files will be skipped, especially those signed by Microsoft. The good news is that with v17.1 we will bring multi-thread scanning which should improve scan times on modern systems with multiple-core CPUs.

Link to comment
Share on other sites

  1. I found that my normal weekly scans had been scanning Archives, so I disabled that in all these latest scans as you suggested, and I guess that’s what made a big difference. I’ll make sure Archives remain disabled in future weekly scans, thanks.

 

Answer: If the user has disk images and other big archives in a specific folder(s) on a disk, it'd be better just not to select this folder(s) in scan targets rather than disabling archive scanning completely.

I have no idea where all the archives are. Based on scan numbers, there must be something like 3.5 million objects involved (!), which I just can’t fathom at all. Most must be system-related I guess. If I continue with weekly scans at all (see below), I think for the sake of practicality I’d have to stay with the option of excluding Archives from the scans. That is the default Smart Scan configuration after all anyway. Scans that included Archives have run continuously for up to 16.5 hours, maybe even longer at times I believe. That’s just infeasible.

 

  1. I noticed that the standard Smart Scan profile, by default, scans Runtime Packers, but based on the info you sent, I tried disabling that in today’s first scan as well. Then I wondered what difference it would have made if it had been enabled like in a normal Smart Scan, so I enabled it in the next scans to see how much time that added on etc. It nearly doubled the scan time! and increased the number of scanned objects by 1,279,000! so it would certainly be a bonus to exclude Runtime Packers as well as Archives. Please just confirm though that there’s no loss of system security if weekly malware scans don’t scan Runtime Packers, Gil?

Answer: Unlike archives, runtime packers are used to compress executable and make them smaller. Such files are unpacked in memory upon execution. Therefore it is not wise to disable runtime packers although the files should be still scanned / unpacked by advanced heuristics.

I don’t really understand the last part of that last sentence... “although the files should be still scanned etc…” Is this referring to the settings for Real-time File System Protection? Does it imply that if the RTFSP settings for Runtime Packers are set so that they’re scanned on Creation, Open and Execution with Advanced Heuristics, that will still provide good protection
without them being included in weekly malware scans? Maybe the same would apply to Self-extracting Archives too. Relying on the RTFSP could mean much quicker weekly scans. So, in short, are you saying it would provide the optimum protection to scan absolutely everything in weekly scans, but RTFSP provides sufficient protection on its own?

This thought led me to check ESET settings a bit further, in particular on the latest clean installation done on a new laptop. That showed there’s no configured weekly scan provided by default. (I remember now adding that myself ages ago, only because the previous internet security software brands I’d used did a weekly scan.) This suggests that the ESET program’s default and recommended setup doesn’t require a regular scan at all. It can protect the system adequately just with RTFSP and the other scheduled auto checks that come with a standard setup.

That’s great! The Advanced ThreatSense config for RTFSP already includes Runtime Packers and Self-extracting Archives, and Advanced Heuristics. I could probably consider also enabling Runtime Packers and Advanced Heuristics in the RTFS ThreatSense config for even more ongoing protection, and maybe stop the weekly scans altogether.

So, unless there’s info to the contrary somewhere, I’m inclined to think I should just rely on the standard out-of-the-box ESET setup, maybe with the tweaks mentioned above to strengthen the RTFSP settings even more (and monitor for performance impacts), and perhaps check out weekly scans again when the multi-threading of version 17.1 arrives. Surely ESET have provided an appropriately configured product setup out-of-the-box, so there shouldn’t be any problem with using it as it came, right?

 

Hi ESET Team, 

Can you check the above response from our client, just focus on the marron words.

 

Thank you!

Link to comment
Share on other sites

7.To be able to properly experience the benefit of “Smart” scanning, the third scan used identical parameters to the second scan, and it was run straight after the second scan (with only an annoying but unavoidable auto Windows Update happening between the two). “Enable Smart Optimization” was definitely selected in both scan profiles.

Answer: Complete disk scans will always take time and won't complete in a few minutes. If modules have been updated between two scans, the cache will be cleared. Otherwise it could happen that previously undetected malware for which a detection has been added in the last update would not be detected if the file was not re-scanned. With Smart optimization enabled many files will be skipped, especially those signed by Microsoft. The good news is that with v17.1 we will bring multi-thread scanning which should improve scan times on modern systems with multiple-core CPUs.

It's great to hear about multi-thread scanning coming, because there really seems to be a problem with the performance and operation of Smart Scans now. There wasn’t a module update between the latest two scans, so the cache wouldn’t have been cleared. (There wasn’t even an internet connection at the time of the scans.) The second Smart Scan simply scanned 13027 fewer objects out of 2.15 million, so that’s not “many files” being skipped at all, and it saved just 0.75 hours scanning time. The scan still took 6.5 hours with Runtime Packers and Self-extracting Archives included, but excluding Archives. That’s not demonstrating much of a benefit of Smart Scanning at all... It firstly scanned 2.15 million objects, and then immediately re-scanned 2.14 million of those same clean objects.
That’s the major issue I’m trying to draw to your attention about the operation of Smart Scans.

 

Hi ESET Team, 

Can you check this too

 

Link to comment
Share on other sites

  • Administrators

Please make sure that the computer is online, otherwise ESET won't be able to query LiveGrid about the reputation of files and skip those whitelisted. If you think that a disk scan takes long, try to scan folder by folder to narrow it down to those that take long to scan and then continue to narrow it down to particular files. If they are not large and take long to scan, we'd like to get them for a check.

Link to comment
Share on other sites

Hi Marcos,

I will share your response with our client. 

and i will let you know once they have response from us

 

Cheers, 

Gil

Link to comment
Share on other sites

Hi Marcos,

 

Can you help us to give the best answer on his question?

Hi Gil. I made some significant observations and asked for some answers or confirmations in my email. These are all very important to my use of ESET, and since ESET HQ haven’t specifically responded to any of those, could you give considered responses to each point please?

It seems that he need more information regarding on his concern:

 

 

  1. I found that my normal weekly scans had been scanning Archives, so I disabled that in all these latest scans as you suggested, and I guess that’s what made a big difference. I’ll make sure Archives remain disabled in future weekly scans, thanks.

 

Answer: If the user has disk images and other big archives in a specific folder(s) on a disk, it'd be better just not to select this folder(s) in scan targets rather than disabling archive scanning completely.

I have no idea where all the archives are. Based on scan numbers, there must be something like 3.5 million objects involved (!), which I just can’t fathom at all. Most must be system-related I guess. If I continue with weekly scans at all (see below), I think for the sake of practicality I’d have to stay with the option of excluding Archives from the scans. That is the default Smart Scan configuration after all anyway. Scans that included Archives have run continuously for up to 16.5 hours, maybe even longer at times I believe. That’s just infeasible.

 

  1. I noticed that the standard Smart Scan profile, by default, scans Runtime Packers, but based on the info you sent, I tried disabling that in today’s first scan as well. Then I wondered what difference it would have made if it had been enabled like in a normal Smart Scan, so I enabled it in the next scans to see how much time that added on etc. It nearly doubled the scan time! and increased the number of scanned objects by 1,279,000! so it would certainly be a bonus to exclude Runtime Packers as well as Archives. Please just confirm though that there’s no loss of system security if weekly malware scans don’t scan Runtime Packers, Gil?

Answer: Unlike archives, runtime packers are used to compress executable and make them smaller. Such files are unpacked in memory upon execution. Therefore it is not wise to disable runtime packers although the files should be still scanned / unpacked by advanced heuristics.

I don’t really understand the last part of that last sentence... “although the files should be still scanned etc…” Is this referring to the settings for Real-time File System Protection? Does it imply that if the RTFSP settings for Runtime Packers are set so that they’re scanned on Creation, Open and Execution with Advanced Heuristics, that will still provide good protection
without them being included in weekly malware scans? Maybe the same would apply to Self-extracting Archives too. Relying on the RTFSP could mean much quicker weekly scans. So, in short, are you saying it would provide the optimum protection to scan absolutely everything in weekly scans, but RTFSP provides sufficient protection on its own?

This thought led me to check ESET settings a bit further, in particular on the latest clean installation done on a new laptop. That showed there’s no configured weekly scan provided by default. (I remember now adding that myself ages ago, only because the previous internet security software brands I’d used did a weekly scan.) This suggests that the ESET program’s default and recommended setup doesn’t require a regular scan at all. It can protect the system adequately just with RTFSP and the other scheduled auto checks that come with a standard setup.

That’s great! The Advanced ThreatSense config for RTFSP already includes Runtime Packers and Self-extracting Archives, and Advanced Heuristics. I could probably consider also enabling Runtime Packers and Advanced Heuristics in the RTFS ThreatSense config for even more ongoing protection, and maybe stop the weekly scans altogether.

So, unless there’s info to the contrary somewhere, I’m inclined to think I should just rely on the standard out-of-the-box ESET setup, maybe with the tweaks mentioned above to strengthen the RTFSP settings even more (and monitor for performance impacts), and perhaps check out weekly scans again when the multi-threading of version 17.1 arrives. Surely ESET have provided an appropriately configured product setup out-of-the-box, so there shouldn’t be any problem with using it as it came, right?

 

 

 

7. To be able to properly experience the benefit of “Smart” scanning, the third scan used identical parameters to the second scan, and it was run straight after the second scan (with only an annoying but unavoidable auto Windows Update happening between the two). “Enable Smart Optimization” was definitely selected in both scan profiles.

Answer: Complete disk scans will always take time and won't complete in a few minutes. If modules have been updated between two scans, the cache will be cleared. Otherwise it could happen that previously undetected malware for which a detection has been added in the last update would not be detected if the file was not re-scanned. With Smart optimization enabled many files will be skipped, especially those signed by Microsoft. The good news is that with v17.1 we will bring multi-thread scanning which should improve scan times on modern systems with multiple-core CPUs.

It's great to hear about multi-thread scanning coming, because there really seems to be a problem with the performance and operation of Smart Scans now. There wasn’t a module update between the latest two scans, so the cache wouldn’t have been cleared. (There wasn’t even an internet connection at the time of the scans.) The second Smart Scan simply scanned 13027 fewer objects out of 2.15 million, so that’s not “many files” being skipped at all, and it saved just 0.75 hours scanning time. The scan still took 6.5 hours with Runtime Packers and Self-extracting Archives included, but excluding Archives. That’s not demonstrating much of a benefit of Smart Scanning at all... It firstly scanned 2.15 million objects, and then immediately re-scanned 2.14 million of those same clean objects.
That’s the major issue I’m trying to draw to your attention about the operation of Smart Scans.

 

Can you help us answer the above information.

Cheers, 

Gil

 

 

Link to comment
Share on other sites

  • Administrators

Default out-of-the-box settings are recommended for most users. Enabling advanced heuristics or runtime packers on execution in the real-time protection setup is at user's discretion. If the user doesn't notice slow-down after enabling them, the settings can stay enabled, otherwise they should be turned off.

Running a weekly scan is not a must. A startup scan is run after each module update as well as when the system starts so any possible malware should be cleaned automatically even if it was not executed or accessed and detected by real-time protection. Nevertheless, if you schedule a regular disk scan, I'd recommend disabling only archives. The other settings are quite important not to be turned off.

As I have previously recommended, try narrowing it down to the folder and file(s) that take long to scan. If they are not large archives, we could check why it takes long to scan them.

Link to comment
Share on other sites

Hi ESET Team, 

We don't want to say things or answer his question if we are not totally sure, so see the below questions of our client:

1. Hi again . I think I can see what’s happening with this, after more playing around with it. You might like to confirm on your setup what I’m seeing here … the profile selection in the scheduled task is not independent from the profile selection in the Advanced Setup / Malware Scans / On-demand Scan configuration. This is very misleading, or a bug.

 

If the profile selection in a scheduled scan job has to be governed by the Malware Scan / On-demand Scan profile selection, there really shouldn’t be a selection box for the on-demand scan profile in the task scheduler. In that case, could you get ESET to remove the selection box from the job scheduler in the next software release please? It should simply display what the default on-demand profile selection is (based on the setting in Malware Scans / On-demand scans).

 

If it’s a bug though, and the profile type of the on-demand scan is actually supposed to be selectable for a scheduled job, can you report the bug to ESET so that can be addressed please? This would seem the most likely scenario, because otherwise how could someone set up multiple scheduled jobs for different types of on-demand scans if they wished? … like a weekly scan that excludes archives and a monthly scan that includes archives for example.

 2. Hi i said you were away on Thursday and Friday which is good, because on re-reading my last messages (attached) I realised I should provide some more clarification and an example …

 

Below, when I say this:

 

“… the profile selection in the scheduled task is not independent from the profile selection in the Advanced Setup / Malware Scans / On-demand

Scan configuration”

 

what I mean is that I’ve found the scan profile I try to set for the scheduled task always just reverts to whatever is showing at the time in the profile selection box on the “Advanced Setup / Malware Scans / On-demand scan” page, so that selection determines what type of scan is done, NOT the profile that I selected for the scheduled task.

 

For example, if I select “Smart Scan” as the profile for a scheduled on-demand scan job, but what is displaying as the last profile I was looking at on the “Advanced Setup / Malware Scans / On-demand scan” page is the “In-depth Scan” profile, the scheduled job will run as an In-depth Scan, NOT a Smart Scan, and “In-depth Scan” will show as the selected profile when I revisit the configuration of the scheduled task, NOT the “Smart Scan” profile I’d previously selected and saved for that task.

 

I hope that’s clearer, Gil. Surely those two things should be independent of each other and it’s a software bug, right?

 

Please help us about the right response to our customer

 

Cheers,

Gil

 

Link to comment
Share on other sites

  • Administrators
  • Solution
Quote

I’ve found the scan profile I try to set for the scheduled task always just reverts to whatever is showing at the time in the profile selection box

This will be fixed in v17.1 soon. You can switch to the pre-release update channel in the advanced update setup to get it later this week.

Link to comment
Share on other sites

  • 2 weeks later...

Hi Marcos, 

He emailed us today, can you check the below information for us?

Hi again Gil. Sorry about this, but is it possible to reopen this ticket? More information has come to light. When I closed the ticket, based on your previous responses I’d decided to persist with using standard Smart Scan settings for weekly scans, at least till version 17.1 is released, but strangely, things have gotten out of hand again. I’ve made new observations and now have some questions about Smart Optimisation, scanning duplication, and archives Gil...
 
Smart Optimisation
 
On one of our PCs in particular, I’m again seeing crazy long scan times, even using the “out-of-the-box” Smart Scan options (Email and Archives disabled, Heuristics and Advanced Heuristics enabled, and Smart Optimisation enabled). The system only has 456gb of disk space in use, but a scan of the whole system took over 29 hours on 31/3. That’s just totally impractical, so it’s prompted me to watch closely again. Admittedly, the internet wasn’t connected for most of that scan due to a wireless problem, but when I redid the same scan a week later, that time with the internet connected, it still took 24.5 hours. The detection engine version numbers were different for those two scans, but there’d been almost no activity on that PC through the intervening week so it’s hard to understand why they took so ridiculously long.
 
Maybe the somewhat improved time of the second scan related to it being internet connected (?), but it’s hard to see any benefit at all from Smart Optimisation. Virtually all the same files had been scanned just a week prior with no problems detected. My understanding of ESET Support’s response about this is that Smart Optimisation won’t show any benefit if there’s been a module update between two scans, because the cache will have been cleared. I’ve seen that even running two scans a few hours apart, the detection engine version can change. Updates are so frequent, this would suggest there really is virtually never going to be any benefit from Smart Optimisation because the cache will almost always be cleared between scans.
 
So, here are my questions about this:
  1. Is my understanding correct that module updates “clearing the cache” between scans removes all the potential benefit of Smart Optimisation?
  2. To better understand scan results, if a file is skipped because of Smart Optimisation, is it excluded from the files counted in the scan, or does it still show as included?
  3. This is a feature request - Could ESET perhaps be enhanced in the future to display the total number of files that have been skipped in the scan because of Smart Optimisation, so we can actually see the benefit we get from the feature?
  4. … And Gil, if you know of a way, a combination of circumstances or whatever, to truly get demonstrable benefit from Smart Optimisation as it works now, please let me know. Nothing I’ve seen so far in real-world results has provided any confidence that the feature is of any use at all, the way it currently operates.
 
Scanning duplication
 
I also noticed a couple of other odd things when looking closely at recent scan results. Firstly, some files had been scanned four times! Others, twice. Investigating this, I saw that there were some shortcuts set up on the system for things like the Documents folder. I don’t know the origin of the shortcuts. They’ve apparently been in place for years, but they suddenly now seem to have caused many files to be re-scanned multiple times. (See attached examples.)
 
Re-running the same scan after de-selecting the shortcuts in the scan’s file set, it still took 15.5 hours, but at least the same filenames didn’t keep appearing in the scan results, and the number of scanned objects reduced by 5 million!
 
  1. The existence of file or folder shortcuts shouldn’t lead to ESET re-scanning all the same objects, should it Gil? Is this a software bug? and could it be a recent issue (like between 24/3 and 31/3)? … because the object numbers scanned on the system have skyrocketed this month, and no files have been added to the system. (Previously, even a full scan including archives, totalled 5.69 million objects at most, but these latest scans, supposedly excluding archives, have totalled nearly 10 million objects!)
 
Archives
 
It looks like archives are maybe still being scanned even though they’re disabled in the Smart Scan. (Again, see the attached examples – I’m assuming .zip files are regarded as archives, but other file extensions noticed in the scan results included .tar.gz as well, for example.)
 
  1. Can you shed some light on this please Gil? Is this a relatively recent issue as well perhaps (like between 18/3 and 21/3)? because I’ve previously seen a clear reduction in objects scanned when removing Archives from the scan, but numbers are significantly up again now, even though archives aren’t supposed to be included.

scan examples (1).pdf

Link to comment
Share on other sites

  • Administrators
  1. Is my understanding correct that module updates “clearing the cache” between scans removes all the potential benefit of Smart Optimisation?
    No, whitelisted files will still be omitted from scans. Only non-whitelisted files will be re-scanned after a module update.
  2. To better understand scan results, if a file is skipped because of Smart Optimisation, is it excluded from the files counted in the scan, or does it still show as included?
    Yes, if a file is skipped it's not counted.
  3. This is a feature request - Could ESET perhaps be enhanced in the future to display the total number of files that have been skipped in the scan because of Smart Optimisation, so we can actually see the benefit we get from the feature?
    No, there are no such plans.
  4. … And Gil, if you know of a way, a combination of circumstances or whatever, to truly get demonstrable benefit from Smart Optimisation as it works now, please let me know. Nothing I’ve seen so far in real-world results has provided any confidence that the feature is of any use at all, the way it currently operates.
    Smart optimization skips whitelisted files from scanning (typically signed Microsoft files or other whitelisted / popular files).
  5. The existence of file or folder shortcuts shouldn’t lead to ESET re-scanning all the same objects, should it Gil?
    With Smart optimization it's likely that a file referenced by a shortcut would not be scanned again if it has already been scanned.
Link to comment
Share on other sites

Hi ESET Team, 

 

See the below details from the client:

 

Note: That I only send the information to our client - so I didn't give him any response that I am not totally sure, that's why I posted here to our ESET Forum - I hope that you will understand

 

See the below response with our client - the answer is highlighted with color blue 

Is my understanding correct that module updates “clearing the cache” between scans removes all the potential benefit of Smart Optimisation?
No, whitelisted files will still be omitted from scans. Only non-whitelisted files will be re-scanned after a module update.


Ok, thanks. So … I might be misunderstanding “whitelisting” etc. The reason I’m trying to understand this better is it’s key to making sense of what I’m seeing in numbers of files scanned and length of times for scans, and how I need to manage those things. I’d really appreciate your continued help with this please.

Previously Gil said in an email dated 12/3 (included in the message thread below): “The basics behind the Smart scan is a proprietary technique that ESET uses to check digital signatures, time-stamps, and prevent files that have not been changed since last scan, from being scan "AGAIN" on the next scan you perform that uses Smart Optimization.” Please confirm this is what’s supposed to happen.

It's critical to know this, because it would mean two scans done closely together when there’s been no file activity between them should lead to the second one taking almost no time at all if the first found no malware (because virtually all files should be skipped in the second scan). Should that be true?

Maybe this isn’t what you mean by “whitelisting” though. What are you referring to as whitelisting if it’s something different from this?

 

Cheers, 

Gil

Link to comment
Share on other sites

  • Administrators

Please keep the responses to the point and as short as possible so that we don't need. Ideally respond with not more than a few sentences.

What is the scan time with archives and sfx archives turned off and Smart optimization enabled? How many objects are scanned? If the scan takes long, try scanning folder by folder to narrow it down to one that takes longest to scan and then narrow it down to concrete files. If they are not large and still take long to get scanned, please provide them for perusal.
How does the scan time and the number of scanned objects change after a module update?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...