Defender Scans Way Too Many Files

[Guest]

I have noticed every now and then that Defender scans far more files than I
actually have on my hard disk. Tonight, I noticed it had well over 1,400,000
(that's one million, four hundred thousand) files in its scan. In actuality,
I think I have something like 450,000 files.

What I have noticed is that Defender seems to scan on certain files, stay
locked on that file, and increase the counter. As an example, tonight I saw
the following file being scanned, apparently multiple times:

c:\workssetup\msworks\pfiles\msworks\binlang1\dict.eit

What I saw was after "dict.eit" was the following: "dict.eit ->/XXXXXX",
where "XXXXXX" was a number that constantly changed and I believe increased.
I saw it anywhere from a 3 or 4 digit number to I believe a 9 or 10 digit
number. While this was happening, the total file count also was increasing
many times.

I don't know if this happens all of the time because I usually just let
Defender run in the background, and I just see the end results of the scan.
I also know that this does not happen on every file....most files appear to
be scanned just once. But the couple of times I saw this happen, it happened
in the above directory, as well as in the subdirectory of "binlang2."

Is this normal? What is happening if it is normal?

 

[Bill Sanderson MVP]

This is normal. I believe what is happening is that scanning of archives
counts the individual constituents of the archive as separate files--this
isn't illogical, just "different."

There's an option setting to not scan within archive files--you could change
that setting and see the effect.

 

[Guest]

Is there a way I can tell where the archives are and how many files or
constituents are there? Although you may be right, I still have some
questions about the answer:
1. I have noticed this on my laptop, which is only one year old. I have
not noticed this happening on my desktop (although it may have happened),
which is over 4 years old. I would think that perhaps my desktop has quite a
bit more archived files on it than my laptop (it has, for example, many, many
emails from the past 4 years saved).
2. Do you know what is happening with that specific file I mentioned, the
file "c:\..\..\..\..\DICT.EIT" file? This isn't an archived file, is it?
What are the numbers that appears after the file, a number which varies from
3 or 4 digits to 9 or 10 digits?
3. I haven't been able to find the option to not scan within the archive
files. Can you tell me where to find it? I am looking under "TOOLS",
"OPTIONS."

 

[Guest]

I'm sorry, Bill. I wasn't looking in the right place for the scan archive
option. I have now found it and unchecked it for both my desktop and laptop
(it was previously checked on both). I'll run Defender again and see what
happens.

 

[Guest]

Bill, it looks like your answer is correct. After turning off scanning
within the archive files, the number of objects scanned was considerably less
for both my PC as well as my laptop. I still have the questions about the
number being shown after the dict.eit file...this did not happen with the
scans after the archive option was unchecked.
Also, I have another question/potential problem. On my laptop, I actually
ran Defender 3 times. Each of the 3 times exhibited something strange: about
5 or 6 minutes into the scan, which was about 25,000 to 26,000+- objects, the
counter for the objects reset to 0. Before this happened, the program was
scanning files on the C: drive as well as some registry entrees; after the
counter was reset, the program continued scanning the C: drive and then,
towards the end, went to the D: drive, as I would expect. Also, right before
the rest occurred, there was a short period where the counter and scanned
files as well as the elapsed time "froze" for a couple of seconds, before
being updated again.
The same thing happened to my desktop the two times I ran Defender on it.
Right around 28,000 +- objects, the scanning slowed, as did the counter and
the elapsed time.
Is this normal, the slowing down and freezing of the elapsed time and
objects scanned? Is it normal for the object scanned counter to reset early
into the scan?

 

[Dave M]

Here's the third person response from Microsoft by way of Borty on the
WLOneCare newsgroup:

"Based on the research of our group and the Microsoft Works Team, the files
DICT.EIT and THES.EIT are not system files, although they are included in
the Microsoft Works folder. The files can be some kind of date file. At
this point, in order to keep both Microsoft Works and the virus scan
working, I suggest we keep them in the Exclusion list." ...apparently it
gave people some trouble in WLOC also.
http://forums.microsoft.com/Windowsonecare/ShowPost.aspx?PostID=192722&SiteID=2

Did you have the Microsoft Encarta Premium 2005 Nl Dvd / Ms Works installed
on the laptop? DICT.EIT is actually a file that is included in conjunction
with that Encarta Installation, although names are pretty poor indicators
of true content.. That might give you some ideas to explore.

I see you found the scan archives option, but as to your .EIT file being a
true archive filetype that Ms might have the uncompress algorithm for and
include it in either Defender code or WLOC, that's what I'd call an
esoteric long shot.

 

[Bill Sanderson MVP]

Couple of thoughts:

1) I suspect that the EIT file is, in fact, an archive. This (the OneCare
response notwithstanding)--is clearly a Microsoft file--I suspect a
dictionary of some sort used by Works and or Office. So I'm not surprised
that Windows Defender knows how to look inside it.

2) On the count reset: I haven't observed this myself, but this is what I
think may be happening: You are doing a full scan. On custom scans,
Windows Defender does an intelligent quickscan first, and then proceeds with
the objects designated for the custom scan. I believe it does this for full
scans as well. The reasoning for this is that the intelligent quickscan
provides a good assurance that nothing is running or in memory which might
mask malware from the intended deeper scan. (However, I have personally
seen instances in the not too distant past where this strategy did not
succeed in catching a rootkit based spyware in place!)

So--I think the count reset you are seeing marks the end of the quickscan
phase of a longer custom or full scan.

--

 

[Guest]

Thanks, Dave.

I do not have MS Encarta of any version on either my laptop or my desktop.
I will look into putting those files into the exclusion list.

I've always wondered about MS Works. I do not use this as I have WORD and
EXCEL. Would there be any problem to completely remove Works from my
computers, or does something else use it that I might not be aware of?

Thanks again,

Richard

 

[Guest]

Bill,

I'll ask you the same question I asked Dave M. I do not use Works directly
because I use Word and Excel. I would like to delete all Works folder and
all of its files, unless there is some other program which may use them. You
mention that that "Dict.eit" file may be used by Office. To the best of your
knowledge, would it be ok if I delete all of the Work files, or does
Office/Excel/Word or any other program use these Work files?

As far as your theory on why the counter resets, it sounds very plausible.
I noticed that when I do run a Quick Scan, the number of objects scanned is
on the order of 25,000+-, the same number the Full Scan reaches before
resetting.

Thanks,

Richard

 

[Dave M]

It's how Word arrived on mine via a Dell pre-install. but I always go
straight into Word without bringing up any wrap around shell, there were a
bunch of other products attached there too... A spreadsheet, database,
Encarta, Money, Picture It, and Streets&Trips a travel planner. So I'd
bring the Works Task Launcher up at least once to see what you have, that
could be rendered inop, before you pull the plug. I'm not really sure of
how they're tied together, probably very complexly, and I think there were
various options that were available in the different Works packages. There
has to be expertise on some Ms forum that would be able to give you the
definitive answer re. breakage.

 

[Bill Sanderson MVP]

I'm not certain of the answer to the works/office question. In some cases
Word was a part of a Works version. However, since you have Excel as well,
presumably you have some Office version in addition to Works.

I'd recommend going via control panel, add or remove programs. If Works is
listed there, go right ahead and remove it


--

 

[Bill Sanderson MVP]

Indeed--this kind of package--Works 2000 was one such, I believe--is the
reason why I'm a bit wary of just removing Works.

--

 

[Guest]

Hi Richard,

In addition to what Bill mentioned:

As always, you should make sure that you have got a working system restore
point before you run any test.

Good luck
--

 

[Guest]

Hi, Bill and Engel.

Thanks for your help. I think I am going to do some more investigation
before I actually remove any WORKS files. I was getting a little confused
over what I have and what I don't have on my PC and laptop. I actually do
not have WORKS files on my desktop, but I do have it on my laptop. I'm
almost certain I did have WORKS at one time on my desktop, but I also think I
did indeed remove it 2 or 3 years ago. I do have WORKS 2002 CDs associated
with the Dell desktop I have. I'm not sure what version of WORKS I have on
my laptop, but it's probably a 2005 version.
Mark also asked if I had Encarata 2005 deluxe. I do not, but I did just
notice I have Encarata 2002 on my desktop, which I did not notice before.
I'll probably start by removing this first, and then do more investigation
into whether or not WORKS is doing anything for my laptop. I really do not
believe it is because I'm almost sure I bought Office (with Excel and Word)
separately for my PC as well as laptop, but you've got me thinking!
Thanks, again.

Richard

 

[Bill Sanderson MVP]

If you aren't pressed for space, not worrying about it is probably best.
"cleaning up" can create more problems than you might expect, sometimes.



--

 

[Guest]

Following up what Bill and others have said; once after an OS upgrade I
attempted to install just the Word component of a combined Word/Works 2000
package. This turned out to be almost impossible and once the package was
installed, it wasn't clear what effect removing Works would have, so i just
left it.

With the way they're packaged together, as Bill stated it just isn't worth
the risk or time spent if you aren't drastically hurting for disk space.

Bitman