Difference between "On Access" and "Stateful"

Simple question: In CAV, what’s the difference between “On Access” and “Stateful”? Is “Stateful” JUST AS GOOD but faster, or is “On Access” somehow functionally superior? Is the ONLY difference speed? If so, why would anyone use “On Access”, wouldn’t everyone use “Stateful”?

“On Access” is above “Stateful” on the “slider bar” of modes, does this indicate that it’s somehow better than “Stateful”?

I don’t know which to use. Explain, anyone? Thanks :slight_smile:

Direct copy from the help file:

On Access - Provides the highest level of On Access Scanning and protection. Any file opened will be scanned before it is run and the threats are detected before they are getting a chance to be executed.

Stateful - Not only is Comodo Internet Security one of the most thorough and effective AV solutions available, it is also very fast. CIS employs a feature called Stateful File Inspection ™ for real time virus scanning to minimize the effects of on-access scanning on the system performance. Selecting the ‘Stateful’ option means CIS scans only files that have not been scanned since the last virus update - greatly improving the speed, relevancy and effectiveness of the scanning.

Oh, I read the help file. But it contradicts itself, at least somewhat and indirectly, and it doesn’t answer my question.

Scanning every file on access should be functionally identical, in terms of protection, to scanning a file when accessed only if it’s not been scanned since the last DB update (and hasn’t been changed since the last time it was scanned).

One of those is optimized and faster than the other, but as far as I can see, the result is identical.

Therefore, how can it then be said that On Access mode “provides the highest level of […] Scanning and protection.”, which implies the “Stateful” isn’t as good (which is also implied by its lower position on the slider control), if “Stateful” mode is functionally identical, just faster?

So my original question stands… is “On Access” somehow better than “Stateful”, in terms of catching malware? Or is exactly identical, just slower?

I just know, what the help file says - nothing more…

Don’t get too caught up in the semantics of what seems to be implied.

Think like… On Access = Hardcore scanning. Every file on every access. Simple.

Statefull = Only scan if file has been altered, or a new database has come out since last time scanned.

No less safe, just an attempt to free up some resources for you.


That’s what I thought it meant. But what I don’t understand is why CIS offers the choice between them at all. If they’re the exact same level of protection, and one is much more efficient and lighter on system resources than the other, why wouldn’t Comodo eliminate the “On Access” option entirely and change the “Realtime Scanning” slider from:

On Access

…to simply:


…where “Enabled” would mean Stateful?

It doesn’t make much sense to me, why they’re both included. If you have two algorithms that do the exact same thing, and one’s lightweight and fast, and the other’s bloated and slow… why would even offer the user a choice at all? Why would the bloated and slow one even be included in the product at all?

In all other software products, if the author comes up with a much faster and less resource-intensive way to do the exact same thing as before, the next version of the software doesn’t give a choice between the bloated, slow original algorithm and the much faster and leaner new algorithm. The better algorithm simply replaces the less-efficient one entirely.

I think it’s just all about giving people options.

No matter what they decide there is always an opposing opinion.

So better to give people the free will choice.

When they only had On Access, people who work with large directories would complain about the wasted resources.

So they added the feature to check the files status and only scan if changed, etc.

So if they did as you say and went Statefull (which is default IIRC) only. On/Off.

I’m sure people would come out of the wood work with their own issues, and takes on the situation with their own level of comfort.

ie. " I don’t care what you think, I want to scan everything every time!!! and you won’t let me, No choice!
Your software sucks, blah blah blah."

Get my drift :wink:


Very true, actually. I didn’t consider dim-witted users who don’t know what the phrase “exactly the same protection” means, or who somehow refuse to believe it. :slight_smile:

Good point. In a technical sense, there’s no reason to offer both. But in a human sense, with not all users being sufficiently intelligent, there may indeed be merit in still offering the less-efficient, brute-force technique.

Most interesting. Thanks for the insight.

Especially since database updates can be every 30 minutes. This relegates the stateful scanning mode to be less than useful. It pretty much rules out any performance improvement to all but system files. How many other files are you opening multiple times in 30 minutes?

I have not been able to find the phrase “exactly the same protection” or even the word “exactly” used in this context in any of Comodo’s help files. It seems to have cropped spontaneously in this discussion. If I missed it, please post the URL.

There is a difference that can be important for the Truly Paranoid. Stateful detects changes by examining the META DATA of a file: its date of creation, the size as recorded in the directory, the date and time it was last updated, and so forth, while On Access detects changes by examining the ehtire CONTENTS of the file.

It is possible to change the contents of a file while preventing any changes to its meta data; this is trivial if a rootkit is involved.