"Do not scan files larger then...": is this really a good idea?

Examples: LibreOffice, EaseUs Todo Backup and Windows Vista SP1 installers. All of those programs have size larger than 40 MB. The last one have much more (544 MB!). What if such programs are somewhat infected? Is performance improvement so more important than safety to the point of ignoring such a scenario? Should this AV limit really exist?

Comodo sets this limit based on the malware they process.

While files larger than 40MB can indeed be infected, it’s extremely uncommon. Remember that the goal of malware is to spread quickly. To do so, the smaller the file, the better.

If you are uncomfortable with this limit, you can always set it higher.

I’m not an expert, but I think: a tiny malware tries to infect as many executables files as it can. So it infects several files, including such a big installer. Great: CIS AV catches the little infected files but leave the big ones untouched. When I run one of these installers, what is usually done as an administrator, BINGO! The malware gets unrestricted access to my system since no on-demand, scheduled or automatic scanning was done on that installer simply because it was big! Sorry, I’m really uncomfortable with that.

You may ask me: “How the tiny malware got into your system indeed?” Well, maybe before I have CIS installed; maybe in some zero-day attack; maybe… Who cares? I simply think that an AV should not shrink back from his duty only because it may be heavy… This default is nonsense to me.

What do you think?

By the way, you bet I have set this limit insanely high. My concern is about the community that may overlook this matter.

All the files you mentioned are ‘archives’ that contain a large number of smaller files, those smaller files will be scanned on extraction/installation and should one be malware it will be caught before it get’s loaded in to memory. Putting things higher than the default 40MB will only slow down your system heavily and will add maybe 0,001% extra detection.

Maybe you haven’t got my point. When those smaller files get scanned, it will be too late. The bigger, infected “archive” installer, will be already running, and with administrator rights(!). Scanning the smaller files is pointless then. :frowning:

The very fact that such bigger files are far less common than the smaller ones implies that they will not pose a so severe impact in the performance, I think.

No, the archive cannot run by itself.

What will happen is that each of those smaller files inside it will be run one by one. Thus, if one is found to be dangerous then any infections would be stopped. This all happens very fast, but this is how it works.

Please read my original post: all the huge files I’ve mentioned are executables. This is why we called them “archives” (notice the quotes). Check the topic history.

.exe are nothing but basically archives. Comodo can scan inside of them during a manual scan and when you run a exe it watches as the files are extracted.

At least the right click scan shouldnt depend on any excluding “performance” settings. Is this present?

This would follow your manual scan settings. You could always move the limit up on manual scans if that is your preference.

Executables are protected files. D+ would prevent infection in the very first place.

That’s greatly reduces risks with files getting infected on your system.