Is Stateful scanning stateful across sessions or only for current?

I’m wondering of CIS remembers the state of files across different Windows sessions or does it only remember for the current session. But when user restarts or shut down the system, all this info is gone and starts all over on next boot?

Not sure about reboots and such but I know CIS keeps the state of the file between the span of each database update. (in other words, once there is a database update, the stateful scanning resets itself).

I’d like to know more about it too.

I would like to have it rescan when a file has been modified not a DB update, the DB update is all of the time now, so what would be the point for stateful anyway in this case?

That’s what Stateful scanning is: it only rescans files that have modified since the last scan. But ALL files will be scanned again after each database update in case the new database has a signature for that file that was already scanned.

Good question. ;D

I asked this when the option was released in beta. Never had an answer from a developer… 88)

It seems to me that it is a less than useful feature if it gets reset every 30 minutes or so.

I was wondering this myself too.
I think it’s saved between sessions but checking it again after a DB update seems to be useless for stateful. Now we get an update every hour or so the whole stateful is pretty useless. I’ve never been a fan of active scanning though. The best would be a scan if you enter a folder of when a file is used. This way would be useful to have stateful.

Due the nature of this kind of technology (from developer perspective), I would say that they’re related to your session.

the DB update is all of the time now, so what would be the point for stateful anyway in this case?
Because = if a file is indeed malware, and it will not be rescanned, well, that would be a problem no ? And now, we only scan it ones. (until the next update 5 mins later, but that's 3 minutes without scanning ;))

Xan

It could help if the feature is designed to keep track about what version of the DB was used to scan those SFI files and later scan only using the new signatures added after an AV DB update.

If a file was scanned up to X AV db it would also mean,if it was not changed meanwhile, there would be no need to scan again all signatures up to X AV db ver but only the ones greater than X AV db.

As for SPI span, IMHO it would be preferable to reset the SPI info after each reboot.

Is this just me or : stateful file scanning already scans changed files only. Why ? Because this is the on-acces scanner no ? So it will only scan files that : execute/changed/get used/etc. So we actually have already a scanner that scans changed files only and will not rescan them if they’re considered safe (with that database)

Xan

Indeed although even after the AV database is updated there would be still a possible way to avoid to check the same SPI listed file against the whole updated DB by limiting scanning only to the latest signatures (even in case of multiple updates/day).