AVG7 not checking file closes (install default)

Hi

I recently installed AVG free & was a bit miffed when the real-time aspect (the "resident shield ") didn't detect the EICAR when I expected it to

Checking through the options for the resident shield, I found that the program had installed with the option to monitor file closures disabled

Surely for an internet-facing computer, checking files as they close is at least as important as checking files as they are opened? A file comes in from "out there ", and when it is complete the file on your computer closes - which has to be the appropriate time to check the file

It's easy to change this option, and the extra load on the CPU is trivial

[SIZE= "1"]apologies if this has been noticed / mentioned already, I searched BBS a bit without finding it - maybe looking in all the wrong places (generally the case!)[/SIZE]

best wishes, HJ

 

I have been using AVG free for the last 3 years and never had any serious problems from viruses during that period.

AVG does indeed detect EICAR.

 

Hi

the normal meaning of closing a file: buffers get flushed & any handle / file pointer / stream associated with the file get dissociated.

==

Certainly, real-time scanning of files as they are opened is the way to avoid nasty surprises from malicious software...

...but real-time scanning of files as they are closed can stop the malicious software from getting onto the HDD in the first place

applies particularly to the following scenarios:
- file arrives on your computer from the internet;
- file arrives onto your computer from local network;
- packed file unpacks to produce files on your computer
...because in these cases, merely scanning "on file openings" won't spot the bad stuff.

All the files on a HDD drive were open as they were being written to the drive in the first place, whatever program was writing them (in this context, the "program" might even as humble as DOS "COPY "); you can't write to a file without having the file open.

When finished writing the file, the program which was creating it closes the file, leaving it on your hard drive.

This closing of the file is the point at which I'd like the on-close AV scan to happen, particularly for files which are coming from the internet.

==

A simple way to illustrate this is with a self-extracting EXE. There's one called EICAR.EXE here if you want to try (save this file somewhere on your computer rather than opening it online) When EICAR.EXE is run it attempts to write out EICAR.COM (in the same folder) - that's all it does.

If you run EICAR.EXE with on-close file scanning disabled, you will end up with EICAR.COM on your hard drive.

If you run EICAR.EXE with on-close file scanning enabled, you should get an alert from your antivirus software, and (hopefully, assuming your AV options are set up well) the file EICAR.COM will not appear on your hard drive.

In this case the bytes which make up the resulting file are coming from the self-extractor program; but they might just as well have been coming from a LAN or from the internet. At the basic level it's just the same - when the file is complete it gets closed - and then gets left on your HDD.

OK. That was just the EICAR; but the same applies to "real" nasty stuff which one would expect, would hope, should get blitzed by AV software. If you don't have on-close scanning enabled, you are likely to end up with the nasty stuff on your HDD - and I (for one!) would rather it never got there.

==

So, although I like AVG7, and I think that it's really great that Grisoft make such a product available for free, I do wish that the "out-of-the-box" default was that on-close scanning was enabled.

Also, the appearance of the AVG Control Centre doesn't make it at all clear when on-close scanning isn't turned on. The wording "Resident Sheld is loaded and fully functional "; and (at bottom RHS) the unfortunate truncation of the text (you have to click to see the crucial words "not active ") don't help in this context.

I posted the thread because there are a lot of AVG7 users around, in case they might want to adjust the options and improve their AV protection. Double-click the "Resident Shield" section of the control centre to find the checkbox for on-close scanning.

I also opted to "scan all files" rather than deciding by file extension - can't trust file extensions to determine whether a file may be dangerous in these days of tricksy malware.


best wishes, HJ

[SIZE= "1"]Afterthought: none of the above reasoning should be taken as an excuse for avoiding a thorough scan of the whole HDD every now and then ! (frequency of this depends upon your paranoia level)[/SIZE]

[SIZE= "1"]**Pentium-S @ 150MHz, 48MB, this thing takes ~45seconds to launch Mailwasher Pro! is certainly no racehorse.[/SIZE]

 

Here is the reason why it isn't:
http://forum.grisoft.cz/freeforum/read.php?8,61375,61378#msg-61378

ski123

 

Gosh.

and it's recent, too, the date's 2nd Feb 2006. Thanks for pointing that out, ski123, I'm using Windows98SE which I'd have thought would be embraced by "Win95-WinME "

Looking in the Help for the Resident Shield there's no mention of any incompatability with earlier Windows versions at all, it just says

hmmm. The on-close scanning certainly seems to be working as I would expect - and the machine is stable, and hasn't slowed down noticeably. The only aspect of AVG7 which pegs that computer is the email scanning...

...maybe I'd better ask at AVG to see if I can find out what this incompatibility entails. I really would prefer to use on-close scanning if possible.


best wishes, HJ

 

The issue concerns incompatibility of AVG with Microsoft Scandisk for Windows as shipped with Win95, Win98, WinME

If on-close scanning is enabled it causes Scandisk to freeze when checking the logical drive on which Windows is installed.

In addition, if AVG's "scan all files" option is enabled, there is a problem with handling the CHK files which scandisk can produce.

==

So what I decided was to enable both "on-close scanning" and "scan all files ", but simply to disable the Resident Shield altogether when I want to run Scandisk for Windows.

Disabling the Resident Shield greys out the system tray icon for AVG, and so affords a "memory-jog" to remind to turn the Resident Shield back on again.


best wishes, HJ

 

Even when I enable On Close Scanning, its disabled whenever there is some update. Strange.

 

rsinfo: thanks - useful information.

hmmm. I just updated mine (manually)(no restart required) and the "on-close" option didn't change (it stayed enabled).

But then - there are updates which require a restart and updates which don't - and automatic and manual updates.

==

PeteC: the system tray icon greys out if any of the components are disabled / out of date / broken... is yours actually going dysfunctional when the defs go out of date, or just looking that way?

[SIZE= "1"](I was trying to prevent mine from updating until the tray icon greyed to check this out, but blew it a couple of days ago - didn't make it to the cancel button in time)[/SIZE]

easy way to check ! EICAR it next time it greys out, see if it picks it up.


best wishes, HJ

 

Would keep my eyes & ears open

 

Update: The "on close scanning" & other options in "AVG Resident Shield" return to default when the system is rebooted.

Please check & confirm.

 

Hi rsinfo

I can reboot the computer and all the AVG options stay put ...but that's just me rebooting the computer, not restarting it as requested to complete an AVG update.

Will watch carefully the next time an AVG update requires a restart to complete, and post back with the result.

FWIW, my AVG Free "About" is currently showing:
AVGCC file version: 7.1.0.355
Program version: 7.1.375
Virus base: 268.1.0/269
...on Win98SE (2222A)


best wishes, HJ

 

rsinfo: mine just updated, requiring a restart, and left the options as they were - both the "on-close" or "all files" options stayed enabled

am not going to rely on this though

best wishes, HJ

 

Hj, it seems that AVG remembers settings only if set in Administrator login. I set all them in Administrator & had no problem since then. Keeping an eye on it though.