When I hear so much talk about only doing whats needed, It puzzles me to see that scheduled scanning is enabled by default ?
I don’t know Kyle,If you deal long enough with Ant-Virus,you begin to see scheduled scans as a waste of CPU.
I mean, if your realtime is doing the job,why bother?
If it(a malware) is there,it still has to execute,and get pass your AV realtime and HIPS.(some would argue with that order)
The problem is,most people come to that realization shortly before they arrive at the “AV is a 20 year OLD solution”,stage.
Till then, most want to see that “no virus found” message at the end of a scan.
Maybe that drives the default scheduled scan thing.
But then again maybe I am a few pints to many into my larger stock to understand your point,if so,please disregard!!
regards.
I very much share the same view and that was the point of my post ^^
- Download malicious file (and you don’t execute it yet)
- Real-time scanner fails to pick it up
- Virus signature database updated
- Scheduled scan picks up malicious file (before you have executed it)
EDIT: Also:
- Download malcious file and execute it
- Real-time scanner fails to pick it up
- Virus signature database updated
- Scheduled scan cleans up malware from malicious file that was executed in step 1.
SSJ100:
Yes Sir,and if you do execute it what happens then?
Presuming you anti-virus guard and/or HIPs work?
for the edited part,wont the realtime still pick it up after the update?
Then does it not become a ■■■■ shoot as which happens first?
the realtime detecting it,or the start of an on demand scan?
Defense+ will pick up everything, so let’s not discuss that. I’m talking more about the Antivirus.
No, the real-time won’t pick up the virus unless it’s active, and it certainly won’t clean up the mess left behind.
The real time scanner would not pick up the infected file until it was accessed. The first scenario presented is one that I personally have experienced so I feel that scheduled scans are still a good thing.
Lets only talk about what you want to, by all means.
If you have executed it, is it not active?
Look,I am not saying there is no use in a full system,open archives,in depth scheuled scan.
I run them myself.
My point is having them enabled by default is as much a marketing decision as a security
A lot of AV’s seem to have this nominal scheduled scan as default.
(Avast Home, being an exception,as the reserve that for their Pro Edition.)
The question is how much this is driven by real security needs,and how much by perceived?
I thank it is perceived,as opposed to urgently real,but marketing must show it as desirable,
or it would not be dangled like a carrot as a perk of the paid edition of Avast.
Others dangle webshields and email scanners.
As far as cleaning the mess,if you knew you had a set,confirmed infection with something like virut,
would you really trust any clean up job?
I would not.
Before I ordered Pinkus’s prom dress from Teeny-Booper.com,on my Visa,I would want a full reformat and install of Windows.
The fact that Avast! free does not offer scheduled scans is my only complaint with them. They are saying that in the soon to be released version 5, scheduled scanning will be available even in the free version. Some malware has a delayed trigger payload. If that kind gets past the AV because there is no signature yet, then it will sit, inactive, until it’s trigger date. A scheduled scan, with updated definitions, could catch it before it went off. This is exactly what I have had happen one time in the past. A realtime scan,even with a signature for the malware, would never find it, until it triggered and then might not be able to stop it or clean it up…
Dch48:
Please understand I am not trying to be cutsie, or smart aleck,but I really do not understand.
“A realtime scan,even with a signature for the malware, would never find it.”
In that case how is an ondemand scan going find it?
It is not active,so only the signature is avaiable for detection.
The realtime scan would not find it because the file would never be accessed in normal operations. The scheduled scan would scan everything and would find it.
understood.
thanks
** Real time and on demand both use the same signatures. **
So in reality, If one was going to pick up the malware then so would the other.
Realtime by comodo scans the file on access, That means when you double click on an aplication it is scanned with the AV scanner before it is allowed to load.
(Which uses the same signatures as the scheduled scanner don’t forget)
Now, Scheduled scanners scan the file before it is even accessed. Is there any benefit to it? Since they are both scanned with the same signatures before the file is loaded? IMO No.
Scheduled scanners however can be good, for example when ever I use and AV i disable the Archive scanning by realtime. I scan archives on-demand. As an dormant file poses no threat.
To the post above, about those “time bombs” etc… Sure they can sit around doing nothing until the day comes, but when that day comes it will be scanned by the realtime scanner when it “wakes up” before it is activated.
Here’s a practical example, Download eicar and turn the real time scanner off.
Now, do a scheduled scan. Detects it, right?
Now turn realtime on. Detects it, right?
So now back to the original question I had (perhaps I should have put it in the right board :-[ )
Why is the scheduled scanner enabled by default, with no practical\realistic purpose?Yes it will be scanned by the realtime scanner then, but I would rather have it removed before it even gets the chance to activate. When it activates, in my opinion, it’s a ■■■■ shoot whether it will be totally deactivated and removed or not. A lot of AV’s are much better at detecting things than they are at removing them. It just seems to me that removing a dormant file would be easier than removing one that is trying to activate and install itself.
Before the file is loaded it is scanned and removed, before it can “activate”.
It’s clear that some people (like Dch48) will benefit from scheduled scanning and actually like it this way. Maybe you should do a poll? If 1000 people vote, and 999 say they don’t want scheduled scanning enabled by default, then perhaps Comodo should change it? Otherwise, what’s the big deal? A lot of things come “on” by default, and it’s easy enough to disable it if you don’t see the need for it. For me, I’ve disabled D+ and I haven’t even installed the AV component haha.
Scheduled scanning, Necessary?
According to CIS/Help Guide/Antivirus Task Center/Scanner Settings all Scan modes have a max size (defaults to 20 or 50 mb) they have overlapping options that can be configured differently along with specific mode related options.
The Realtime Scanner provides a tradeoff optimized for speed although it also able to detect samples before execute (eg before the second click of a double click or new uncompressed files written on the HD, or uncompressed samples in a folder on the desktop with a minimal lag)
http://wiki.comodo.com/images/CIS-Scanner_Settings-Real_Time.png
- Though it will detect if the use takes action to uncompress them, Realtime scanner is not meant to detect samples in zipped files (eg. harmless eicar.com detection test sample in eicar.zip).
- Realtime scanner will scan each single file up to nn seconds (defaults to 60)
- Realtime scanner alerts will be kept on screen up to nn seconds (defaults to 120). If the user provides no answer the file will be blocked
Scheduled scanner, like manual scanner, will scan also zipped files (eg. will detect the above mentioned eicar.com scanning eicar.zip) and has no time related restriction to scan each file.
http://wiki.comodo.com/images/CIS-Scanner_Settings-Scheduled.png
So the Scheduled scanner can also detect long forgotten samples in neglected folder or zipped files regardless if the user don’t access/run them or if the user disabled Rea-time scanning and forgot to enable it back.
Obviously by applying different settings the scheduled scan can fulfill even additional uses and thus complement manual and realtime scanners.
Well I’m sure scheduled scanning does have it’s uses (You might have The real time disabled cause you use another scanner??) etc.
Though, I think that if it was turned off by default, There would not be an increase or decrease in infections.
There would however, Be a decrease scanning times… Because you wouldn’t have them!
;; Optional yes, Default no.
[at]poll thingy…
Well I look at this the same way as I did web shields when I brought them up to discussion…
Many users would vote “What, Are you nuts?!?!?! Ofcourse you need a scheduled scanner on by default!”
This is not so much opinion based… but technically. I think it’s commodo’s decision in terms of security\usability etc as many users would not be informed enough to make a confident decision.
I’ll point Melih to this thread.
[at]Endymion , Yeah sure When ever I’v used the Comodo AV I’ve disabled the scheduled scans, no hassle. I just thought by this idea, It would lighten up peoples machines. + people can use their machines more (Not having to dedicate alone time for their machines when it scans).
It can be handy to scan compressed files etc… But in their compressed state, they are harmless.
You also mention file size, Though as Melih has said before have you ever seen a malware file over 20mb? ;D
Think the most I’ve seen were rogues. 3mb or so.
One thing I did notice when I saw your pictures was the heuristic levels, I guess this would be something to take into account.
Anyway, I’ll pass this onto Melih and hopefully we’ll get a responce to see his views on this. :-TU
As much it appear that scheduled scan have its uses, including scanning multi-megabytes archiver containing heterogeneous files, whenever you may feel manual scanning/relatime scanning enough when you have used CAV, it doesn’t looks there is no purpose like you have been claiming whereas it would be obvious that any user can disable or reconfigure the default to suit his/her liking.
I would point you to the previous thread you already created which Melih already replied along with other members.