Jump to content

Recommended Posts

Posted

Hello. I have an unusual result in my depth scan after upgrading the ESET product to version 18.

I perform an on-demand depth scan as administrator on a monthly basis. As you can see in the attached screenshots, before the exhaustive on-demand analysis as administrator ESET analyzed more than three million files. We can see it in screenshots 1 and 2.

Intelligent on-demand scan in administrator mode scanned over 1.5 million files. I was told that it is normal for intelligent scan to analyze fewer files than depth scan mode. We can see it in screenshots 3 and 4.

The first on-demand depth scan as administrator after the installation of ESET product version 18 has analyzed fewer files than in intelligent mode. See fifth and final screenshot.

How can ESET scan fewer files in comprehensive mode as an administrator than in intelligent mode? Is the analysis module malfunctioning?

1.jpg

2.jpg

3.jpg

4.jpg

5.jpg

  • Administrators
Posted

From your post it's not clear if a computer restart was performed between the scans or if modules were updated.

You could make some tests as follows:

1, Temporarily disable the regular update task in scheduler
2, Run a smart scan
3, Run a smart scan again
4, Reboot the machine and run a smart scan
5, Run an in-depth scan
6, Compare the scan times and re-enable the regular update task.

Posted
27 minutes ago, Marcos said:

From your post it's not clear if a computer restart was performed between the scans or if modules were updated.

You could make some tests as follows:

1, Temporarily disable the regular update task in scheduler
2, Run a smart scan
3, Run a smart scan again
4, Reboot the machine and run a smart scan
5, Run an in-depth scan
6, Compare the scan times and re-enable the regular update task.

Hello, Marcos. The first four screenshots of my previous message are from depth scan done weeks or even months ago (the first is from September) so yes, there have been reboots and computer shutdowns and starts in all this time, every day. The last screenshot is from today. I have done an intelligent scan as administrator and the result is shown in the screenshot of this message. You can see that there is a big difference between the number of files it used to scan (screenshots 3 and 4 from the previous message) and those you scan now: less than half. And it is in administrator mode, which always analyzes more than in normal mode.

Modules are apparently updated. Check the data of the modules, you know better the data of update for them.

So, what is happening?

5.jpg

6.jpg

7.jpg

8.jpg

  • Administrators
Posted

The difference could be caused by the fact that unlike v17 and older versions, v18 does not follow links, if safe.

Posted (edited)
10 hours ago, Marcos said:

The difference could be caused by the fact that unlike v17 and older versions, v18 does not follow links, if safe.

Hello, Marcos. Thanks for the answer but I'm not sure that I understand well, English is not my native language. What exactly does "v18 does not follow links" mean? And since the difference between the number of files analyzed both in depth scan as administrator and in smart scan as administrator with version 18 is less than half that in versions 17 and earlier, is possible there are as many links in a computer? We are not talking about 10 or 20%, the number of files analyzed has been reduced by more than 50%.

Best regards.

Edited by AlSky
Posted
1 hour ago, Marcos said:

I don't know how many links you have on your disk, it can be even hundreds of thousands. You can use this tool from Nirsoft, however, it doesn't count them and only lists them: https://www.nirsoft.net/utils/ntfs_links_view.html.

Thank you very much, Marcos. Here we would not be talking about hundreds or thousands, but millions because they are two million files that were previously analyzed with version 17 and previous and now not in the depth scan as an administrator. It's really weird. It is quite rare that, suddenly after the install of version 18, the depth scan as administrator and the smart scan as administrator analyze much less than half of files than before. Could the analysis module have been installed incorrectly or be malfunctioning?

Posted (edited)
30 minutes ago, AlSky said:

Marcos. Here we would not be talking about hundreds or thousands, but millions because they are two million files that were previously analyzed with version 17 and previous and now not in the depth scan as an administrator

You need to run the Nirsoft utility. I let it run for only 5 mins. scanning C:\ and it detected many thousands of symbolic links using only the hard links option.

Edited by itman
  • Administrators
Posted

You could install v17 from scratch and run a scan. Then install v18 from scratch and ran another scan. This way you'll compae apples with apples since the scanned files, modules and the state of cache would be same.

 

Posted (edited)
15 hours ago, Marcos said:

You could install v17 from scratch and run a scan. Then install v18 from scratch and ran another scan. This way you'll compae apples with apples since the scanned files, modules and the state of cache would be same.

 

Hello, Marcos. The result of the smart scan as administrator of version 17 (last one before install 18) occupies 49 pages in Word. Same scan in version 18, only 18 pages. The main difference between one and the other is that in version 18 the result of the analysis is missing everything related to C :\Documents and Settings\User\AppData\Local\Microsoft\, C :\Documents and Settings\User\AppData\Local\Packages\and C :\Documents and Settings\User\Local Settings. For some reason it is omitting a considerable part that previously analyzed in version 17. The same happens with depth scan as administrator.

2.jpg

1.jpg

Edited by AlSky
  • Administrators
Posted
3 minutes ago, AlSky said:

in version 18 the result of the analysis is missing everything related to C :\Documents and Settings\User\AppData\Local\Microsoft\, C :\Documents and Settings\User\AppData\Local\Packages\and C :\Documents and Settings\User\Local Settings. For some reason it is omitting a considerable part that previously analyzed in version 17. The same happens with depth scan as administrator.

That's because v18 skips links (junctions) to avoid scanning same files numerous times.

Posted
2 hours ago, AlSky said:

The main difference between one and the other is that in version 18 the result of the analysis is missing everything related to C :\Documents and Settings\User\AppData\Local\Microsoft\, C :\Documents and Settings\User\AppData\Local\Packages\and C :\Documents and Settings\User\Local Settings

As @Marcos keeps trying to explain, C :\Documents and Settings just contains junction points;

Quote

Documents and Settings is merely a junction point that points to C:\Users:

 Volume in drive C is Windows 10
 Volume Serial Number is F091-584E
 Directory of C:\
10/15/2015  17:13    <JUNCTION>     Documents and Settings [C:\Users]
               0 File(s)              0 bytes
               1 Dir(s)  504,925,093,888 bytes free

It's there to provide backward-compatibility for poorly-written programs.  You are not a poorly-written program --- you should navigate via c:\users.  :D

https://answers.microsoft.com/en-us/windows/forum/all/documents-and-settings-in-windows-10/be87dd2d-f903-427f-b501-932a3a2999d1

Posted (edited)
10 hours ago, Marcos said:

That's because v18 skips links (junctions) to avoid scanning same files numerous times.

Thanks, Marcos. I used a restoration point to come back to the version 17 (I thought perhaps there was some problems during the installation), then installed the 18.012.0 without passing throught the 18.011.0. It keeps the same but the time of scan is reduced as it scans less than half of files gthat used to do.

Best regards.

Edited by AlSky
Posted
8 hours ago, itman said:

As @Marcos keeps trying to explain, C :\Documents and Settings just contains junction points;

Thanks for the explanation, itman. Do you experience the same effect since version 18, that the ESET product  scans much less files than previously?

Best regards.

Posted
1 hour ago, AlSky said:

Do you experience the same effect since version 18, that the ESET product  scans much less files than previously?

I really never paid any attention to scan counts.

The way Eset protects, off-line scans really aren't necessay and I run them infrequently. In most cases, all an off-line scan will detect is some infrequently used app on the disk that has had a detection created since the last time the app was accessed/run.

Posted
12 hours ago, itman said:

I really never paid any attention to scan counts.

The way Eset protects, off-line scans really aren't necessay and I run them infrequently. In most cases, all an off-line scan will detect is some infrequently used app on the disk that has had a detection created since the last time the app was accessed/run.

Ok, itman, thanks. Just the ESET support service told me not very long ago that it advisable performing a monthly depth-scan and that's is what I'm doing. 

Best regards.

Posted (edited)
On 11/5/2024 at 1:19 PM, Marcos said:

That's because v18 skips links (junctions) to avoid scanning same files numerous times.

@Marcos , @itman A question: shouldn't there be a folder called logs in the ESET folder? This: C :\ProgramData\ESET\ESET Security\Logs\eScan

I do not see it anywhere looking for the results of the analysis performed by the ESET product.

Log.png

Edited by AlSky
  • Administrators
Posted
4 minutes ago, AlSky said:

A question: shouldn't there be a folder called logs in the ESET folder? This: C :\ProgramData\ESET\ESET Security\Logs\eScan

I do not see it anywhere looking for the results of the analysis performed by the ESET product.

It should be there if you look into the "C:\ProgramData\ESET\ESET Security\Logs" folder instead of "C:\Program Files\ESET\ESET Security" .

Posted
1 hour ago, Marcos said:

It should be there if you look into the "C:\ProgramData\ESET\ESET Security\Logs" folder instead of "C:\Program Files\ESET\ESET Security" .

But it isn't there. Look the screenshots. It isn't there. How is possible? I didn't delete it.

1.jpg

2.jpg

3.jpg

  • Administrators
Posted

Archivos de programa translates to C:\Program files. C:\ProgramData should be as C:\Datos de programa in a Spanish version of Windows. Logs are located in C:\ProgramData, ie. C:\Datos de programa\ESET\ESET Security\Logs". This folder is hidden so you must enable the display of hidden files.

Posted
7 minutes ago, Marcos said:

Archivos de programa translates to C:\Program files. C:\ProgramData should be as C:\Datos de programa in a Spanish version of Windows. Logs are located in C:\ProgramData, ie. C:\Datos de programa\ESET\ESET Security\Logs". This folder is hidden so you must enable the display of hidden files.

Thanks, Marcos, now I see. I needed activate the option "to see hidden files" because it was hidden.

Thank you very much.

3.jpg

Posted

Hello @Marcos. I'm checking the configuration of the scan module about the question of this thread. Is it normal that in malware analysis the options "potentially undesirable applications" and "potentially dangerous applications" are disabled? Shouldn't be enabled (at least the last one) for the on demand scan?

1.jpg

2 .jpg

Posted
1 hour ago, AlSky said:

Is it normal that in malware analysis the options "potentially undesirable applications" and "potentially dangerous applications" are disabled?

In older Eset versions, you were asked if you wanted to enabled these at installation time. You might have missed it when you originally installed Eset.

The default setting for both is Balanced.

  • Administrators
Posted

The on-demand scanner inherits these settings from Protections -> Detection responses by default.

During the installation of ESET, you are asked if you want to enable PUA detection. All settings are then preserved when upgrading to newer versions.

image.png

Posted
2 hours ago, Marcos said:

The on-demand scanner inherits these settings from Protections -> Detection responses by default.

During the installation of ESET, you are asked if you want to enable PUA detection. All settings are then preserved when upgrading to newer versions.

image.png

Hello, Marcos, and thank you. No, I didn't forget it during the installation. The technical service of ESET Spain told me that there were modifications of the default configuration of the ESET product, so I should return the product to its original configuration and repeat the on-demand scans to see if the decrease in the number of files analyzed continues to happen. I protested that I did not see any sense in the request since some of those modifications are suggested during the installation of the product (like this one) and two others were suggested to me by technical support on another previous occasion. But they insisted. So now I have the ESET product as if I had not selected to enable PUA detection.

Is it possible to enable it now again?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...