ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Proposal: Intelligent" Scan
GuitarBob


Joined: 09 Jul 2006
Posts: 4340
Location: USA
Reply with quote
How about a so-called "intelligent" scan for ClamWin? My definition of this would be only executable files in directories/folders that are most likely to harbor a virus. ClamWin is already set up to filter for certain filenames. I guess an "intelligent" option would require the developers to populate the filenames with what they consider to be the most likely executables in the most likely directories. This would speed up scans, and it might not require a lot of programming, since certain elements to this already exist.

I would suggest this as an option for the user to select, and it might be something to consider for Version 1.0 also. I don't know whether you would want this for scheduled scans, "quickie" scans from Windows Explorer, or all scans.

Regards,
View user's profileSend private message
galileo


Joined: 01 Nov 2006
Posts: 19
Location: Charlotte, NC USA
Reply with quote
I have proposed something analagous to this several times without any notable response. That being: Once a full scan has been performed and the system is benchmarked as "clean" then from that point forward only "new" items need scanning. Thus, only the "entry" points for new files would need to be monitored since the existing "on-board" files have been benchmarked as clean. These entry points would reasonably consist of removable storage/drives, email, lan, and internet access points. Thus, the real-time scanning effect on one's typical system performance would be negligible. The only scanning acitivity would occur when something was being copied into the machine or executed on the machine from a remote/removable source.

The net result is improved performance and still maintaining real-time scanning. One could almost think of this approach as akin to a file based firewall....so-to-speak. After all, why do I need to continually scan again and again and again (ad nauseum) "all" the same executables, dlls, etc., etc. for all of my system activity when I have already established them as safe...? All I really want is real-time protection against "new" potential threats...at least until they are established as safe.

....just some thoughts.....
View user's profileSend private message
Intelligent Scanning
GuitarBob


Joined: 09 Jul 2006
Posts: 4340
Location: USA
Reply with quote
Yeah, they don't think too much of such suggestions--eh?

ClamWin version 1.0 will have checkfigures to determine if a file has changed since previous scan and needs checking again. This should help reduce scan time significantly.

In the meantime now and in ClamWin V 1.0 also, I can't see checking any files that are not executable/infectable. Many people now complain about ClamWin's slow scan speed. Of course we can filter out/include any file extensions we want, but many users don't/won't do any filtering. I suggest letting the ClamWin developers decide what should be checked (if the user selects that option)--since that would probably be "intelligent."

Checkfigures in combination with a more intelligent scan would probably give ClamWin a similar scanning speed to some of the commercial AV scanners. What an intelligent scan is should/would change over time as new infection vectors/techniques manifest, and I would think the developers should be on top of that and able to change scan items as needed.

Regards,
View user's profileSend private message
galileo


Joined: 01 Nov 2006
Posts: 19
Location: Charlotte, NC USA
Reply with quote
True - scanning of non-infectable files is unecessary with "today's" regime of malware...who knows about future attack vectors/methodologies... Shocked

Performing a full scan - on whatever files one deems reasonable to scan versus skip - should only be necessary "one" time provided all future incoming file entry points are monitored and scanned in real-time thereafter. Inarguably, the real-time resource demand is reduced dramatically.

In fact, assuming no new incoming file activity, there would be "no" real-time scanning taking place. Thus, the resource demand would be limited to just monitoring the entry points for triggering activity alone and file/CPU activity would be free to take place essentially as if there was zero interference.

From a hardware perspective, one really need only know that if file activity is originating from the hard drive then no real-time scanning would be needed. So, really the monitoring of the entry points is done via the "reverse" or "inverse" so to speak. A simple on/off switch could be optionally employed to "exclude" real-time scanning of originating activity from the hard drives. In fact, from a developers/administrators point of view, the switch could be automatically changed upon the updating of signature files....or better yet, the full scan scheduler could also be triggered when signature files are updated....hmmm, that could be a feature option regardless of whether this approach is employed or not.

Checksums of previously scanned files still requires in real-time activity to read 2 checksums and then execute a compare operation...admittedly a quick operation versus actually scanning the file - it is still an operation that is not really required. If the hard drive has been scanned then "only" new saves to the hard drive need "oversight"....a copy from one location on a pre-scanned drive to another location on the drive does not need scanning prior to writing. If memory serves me right, I believe that the early implementations of Norton AV utilized something akin to checksums called "inoculation". Certainly analagous if not similar.

Frankly, (or if your name is not Frank then: Seriously Razz ) what is going to be found by the scanner in a file that the same scanner has already found as "clean".....nothing would be my guess Rolling Eyes So, the game is just to make sure that nothing "new" ever gets added/saved/stored to the drive/system until it has gone through the scanner...then it is, by definition, safe. Obviously one will want to schedule periodic full scans for the purpose of scanning with the most up to date signature databases - thus, establishing a new clean system benchmark.

It seems to me - IMHO - that paranoria has been driving the anti-malware marketplace to a much greater degree than rational thought. Keep in mind, there is a point of no return with respect to the number of prophylactics employed Cool

...interesting conversation... Smile

BTW: can one join the beta testing for V1.0 ? If so, how?
View user's profileSend private message
Intelligent Scanning
GuitarBob


Joined: 09 Jul 2006
Posts: 4340
Location: USA
Reply with quote
Looks like we agree about "intelligent" scanning. I think some of the earlier methods--inoculation, etc. aren't used as much now because the bad guys found out how to make it look like a file hasn't been changed since the last scan and make other file changes to hide their work.

Contact one of the moderators about joining the beta tester forum: Alch or Sherpya.

Regards,
View user's profileSend private message
Proposal: Intelligent" Scan
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic