Re: Avira and Windows Defender


V

VanguardLH

Richard said:
Running Win Xp Home ed.
Is it necessary to use Windows Defender when you have Avira Antivir
installed and doing a good job ?

Did you really mean Windows Defender (WD) or its replacement of
Microsoft Security Essentials (MSE)? WD was just an anti-spyware
detector whereas MSE is both anti-spyware and anti-virus.

Pick one or the other, not both. If you go with MSE, don't install
Avira. If you go with Avira, don't bother with MSE.

You did not mention if you were asking about the free or paid version of
Avira. The free version is missing several features found in the free
version of Avast. The payware version of Avira is as good or perhaps a
bit better than the free version of Avast which is better than the free
version of Avira. That's regarding detection. For healing an infected
file, turns out MSE is better; however, I rarely even try to repair an
infected file and prefer to get it from the install CD or a prior backup
that isn't infected. Order of false positives, from least to worst, is
MSE with Avira and Avast a close tie but that's because they are more
agressive than MSE. Avast can protect its processes from getting
killed. I suspect Avira can, too. MSE doesn't and can be stopped with
just a "net stop" command.

So what is your disaster recovery strategy should you get infected by
something that none of these can recognize or none can disinfect? If
you don't backup then you deem your files as worthless or reproducible.
None of these security products is perfect, repairing a file can cause
more problems than it solves, and overlapping them (with one on-access
[realtime] scanner and manually running the others as on-demand
scanners) still doesn't cover that last 1-2% of malware that none will
detect.

There's security with which your comfortable. Then there's lots of
security that ends up getting in your way of using your host. You need
to find something that gives you a comfort level you are willing to
settle on depending on the level of your expertise and how much nuisance
you are willing to take from these products.
 
Ad

Advertisements

B

Beauregard T. Shagnasty

VanguardLH said:
Pick one or the other, not both. If you go with MSE, don't install
Avira. If you go with Avira, don't bother with MSE.

Or keep them both, and run the 'other one' as an on-demand scanner and a
backup. &deity; knows you surely need backups...
 
V

VanguardLH

Beauregard said:
Or keep them both, and run the 'other one' as an on-demand scanner and a
backup. &deity; knows you surely need backups...

I don't recall that you can configure MSE to not operate as an on-access
(realtime) scanner, so the combo would be to install Avira, disable its
on-access scanner, and then install MSE. Personally I stay away from
Avira because it has known problems with S.M.A.R.T. in not understanding
the difference between polling a device to get its type and accessing
its media to actually use the device. A defect that showed up 3-4 years
ago has reared up again in a recent build which can cause some users to
notice Avira continually re-accessing their floppy or USB-attached
drives once per minute but only after a program that uses SMART happens
to poll the devices (like when you load a CD burning program that
queries all the devices to determine their type). They didn't fix the
problem before, it somewhat went away without any direct fix from them,
and came back (because they didn't fix it the first time).

I also tend to stay away from "loud" adware. Avast is adware but it is
mild in that you only see their ad when you load their GUI and only in
the summary panel. With Avira, you have to contrive a means to disable
their avnotify.exe adware program that loads on every update (like
renaming the file, creating a 0-byte version of it, or using SRPs to
prevent it from loading) along with altering the Run key in the registry
to eliminate the adware banner. Both Avast and Avira are adware but
Avira is just too much in your face and requires workarounds (which may
eventually be overcome by Avira). The AntiVirus product (yeah, not a
discerning name) got acquired by Avira who then made it blatant adware.

Also, most folks asking about anti-virus products are typically asking
about the free version. The webguard and other features are missing in
the freeware version of Avira (yet it is the full payware version that
gets tested in comparison reviews) but which are present in the freeware
version of Avast. To compare apples with apples, you would have to
compare the freeware version of both or the payware version of both.
Whether freeware or payware, Avast has more to offer. While the payware
version of Avira has the features of the freeware version of Avast, the
payware version of Avast exceeds the payware version of Avira in
providing, for example, a [auto]sandboxing function to further isolate
an unknown process due to so many users logging on under an admin-level
account. Avast has its SafeZone which, as best as I can tell (since I
only use the free version that doesn't have this), is similar to the
safe banking feature of Online Armor (a firewall + HIPS product). Avast
includes a boot-time scan (in free and paid versions) which will run
while the OS and malware are quiescent to provide a more austere and
clean environment under which to detect the pests. No boot-time scan
with Avira (unless, I suppose, you create a bootable CD with Avira on
it, but you don't need a boot CD to do a boot-time scan with Avast). I
you compare freeware for each, Avast provides more features and covers
more infection vectors. If you compare payware for each, Avast still
has more features. Avira wins by a percentage point or two in a static
on-demand scan for malware coverage but that's only a portion of the
story regarding the detection and prevention of malware on your host.
By the way, while Avast's Behavior Guard was passive in the past to
accrue statistics in modifying its operation, it became active in
5.1.189 build and now has some configurable options. Besides watching
for malware, it looks for the behavior of malware as typical of many
HIPS products.

Avira does beat Avast regarding disinfection (the ability to heal a file
to remove the malware) but MSE is better than Avira. Whether that has
value to you depends on whether you even want to try modifying modified
files in hoping to return them to a prior good state.

Since Avast is better than Avira, I would suggest using Avast (and
without using either Avira or MSE as backup scanners but then I don't
think you can make MSE a passive and manually initiated scanner). If
you want overlapping products then Avira (passive) and MSE (active)
would be one setup but then you're using MSE as the active scanner
although Avira has a better detection rate. If I'm wrong about MSE in
that you can configure it as the passive (on-demand) scanner then Avira
(active) and MSE (passive) would work. Yet I'd use Avast alone instead
of having to spend effort getting Avira and MSE to work together.

Remember that despite making an AV product passive does not eliminate
its system hooks and whether AV products will cooperate with each other
when chained in the system API depends is variable. I've found 1 active
and 1, or more, passive AV products can still interfere with each other
and usually I have to resort to something like Resplendence's Hook
Analyser (don't think its available anymore) to show me which programs
are trying to hook into the same system calls. So just making all but
one AV product as active and all others passive still can run into
troubles. Being passive (i.e., you execute them) doesn't eliminate how
far they dug into the OS to combat with other products that do the same.
 
B

Beauregard T. Shagnasty

VanguardLH said:
I don't recall that you can configure MSE to not operate as an
on-access (realtime) scanner, so the combo would be to install Avira,
disable its on-access scanner, and then install MSE.

I think on-access and realtime are two different modes of operation. So
you meant set MSE to operate realtime (in the background all the time),
and Avira (or other a-v) to on-access, or more properly on-demand.
 
V

VanguardLH

Beauregard said:
I think on-access and realtime are two different modes of operation. So
you meant set MSE to operate realtime (in the background all the time),
and Avira (or other a-v) to on-access, or more properly on-demand.

On-access and realtime mean the same to me. On-access means catching
file creates or modifies at the time they occur. That requires a
monitor that is constantly running or a file I/O handler to intercept
the system calls for file operations. Realtime is also something that
is ever present, running in the background, or as a file handler, to
catch the creation or modification of files to interrogate them for
malicious content or behavior.

How are on-access and realtime different to you?

Some users understand on-access and on-demand mechanisms for detection
of malware. Many users don't so I will refer to on-access mode as
realtime protection (since these users understand that) and refer to
on-demand mode as manual scans.
 
B

Beauregard T. Shagnasty

G. Morgan said:
Maybe he meant "on-demand".

I guess I did. I even said "... to on-access, or more properly
on-demand."

"Realtime" indicates the program is running all the time, scanning away
at any new file or file change it finds. "On-[demand/access]" means that
I've selected a file (perhaps by a right-click) and want to scan it
(this one file) now.

But in the end, isn't it a matter of semantics?
 
Ad

Advertisements

B

Beauregard T. Shagnasty

G. Morgan said:
Beauregard T. Shagnasty said:
G. Morgan said:
How are on-access and realtime different to you?

Maybe he meant "on-demand".

I guess I did. I even said "... to on-access, or more properly
on-demand."

"Realtime" indicates the program is running all the time, scanning
away at any new file or file change it finds. "On-[demand/access]"
means that I've selected a file (perhaps by a right-click) and want
to scan it (this one file) now.

But in the end, isn't it a matter of semantics?

Yes and no.

My use of the word "sematics" above had to do with defining "on
demand/on access" which ... well, the definition of the word is "the
multiple meanings of words or the multiplicity of words having the same
meaning".
You would never want two A/V products running simultaneously in
"real time" (services always loaded). You know that.

But of course. But as I said, you can have one a-v running "realtime"
and scan a file "on-demand" with another.
When I think of "on demand", it's launching a new program to scan
something. ...

'Zactly.
 
F

FromTheRafters

Beauregard T. Shagnasty said:
G. Morgan said:
Maybe he meant "on-demand".

I guess I did. I even said "... to on-access, or more properly
on-demand."

"Realtime" indicates the program is running all the time, scanning away
at any new file or file change it finds. "On-[demand/access]" means that
I've selected a file (perhaps by a right-click) and want to scan it
(this one file) now.

But in the end, isn't it a matter of semantics?

Sure, unless it matters.

Active or 'real time' can apply to other types of monitoring than just the
scanning of file's contents. On-demand and On-access refer to user initiated or
scheduled as opposed to triggered events. An 'on demand' scan may be for a
program going through a list of files to scan (such as 'all files' (can be
scheduled) while an on access scan scans files contents before an executable
image is built by interrupting (hooking) the normal flow either when it is
opened or closed or maybe even both.
 
F

FredW

I also tend to stay away from "loud" adware. Avast is adware but it is
mild in that you only see their ad when you load their GUI and only in
the summary panel. With Avira, you have to contrive a means to disable
their avnotify.exe adware program that loads on every update (like
renaming the file, creating a 0-byte version of it, or using SRPs to
prevent it from loading) along with altering the Run key in the registry
to eliminate the adware banner.

- Disable the Avira AntiVir avnotify nag screen
http://www.elitekiller.com/files/disable_antivir_nag.htm

Apply one of the solutions, the problem is solved.
I did this once and thereafter no nag screen appeared anymore.


By the way I use NOD32 as my "real-time" scanner
and Avira Antivir as my "on-demand" scanner,
programmed to scan twice a week.


In services I changed Avira AntiVir Guard from "automatic" to "manual".
The only "problem" is that updates my scheduled updates are now
"invisible" in stead of "minimized" as was possible in previous
versions.
The small message that an update was completed is gone.
 
F

FromTheRafters

G. Morgan said:
Interesting. So do think I can turn off the real time component of Avira
(free), and also install Avast6 as the real-time watchdog?

I do something like that. If I scan with ClamWin, my on access Avira will scan
each on-demand file being accessed by ClamWin. My right click options are scan
with ClamWin, Avira, or Malwarebytes' Anti-Malware. Both MBAM and ClamWin are
filewalking on demand only scanners whether they are scheduled or not. As long
as two 'real time' scanners aren't competing for the same resources it should be
fine. I also believe, though I haven't tried it, if you have one AV scan on
access (open) and another on access (close) you shouldn't have a problem. Real
time protection that monitors change detection in your registry for instance is
'real time' but not 'on access' so they are not the same thing really.
That way the Rt. click "scan with Avira" will still be there.

Yep, unless they are incompatible for some other real or fabricated reason.
Competing for resources is not the only way conflict arises.
 
Ad

Advertisements

V

VanguardLH

Beauregard said:
G. Morgan said:
Maybe he meant "on-demand".

I guess I did. I even said "... to on-access, or more properly
on-demand."

"Realtime" indicates the program is running all the time, scanning away
at any new file or file change it finds. "On-[demand/access]" means that
I've selected a file (perhaps by a right-click) and want to scan it
(this one file) now.

But in the end, isn't it a matter of semantics?

On-demand is, by the word "demand", something that you instigate
manually. On-access means anytime the object is accessed, and not just
when you happen to perform a scan. On-access means sometime of the AV
program is resident. It may be a background process, an NT service, or
a system hook into the file I/O (which obviously you don't get to see a
process listed for it so a "program" isn't running).

On-access and on-demand have always been differentiated from each other.
They do not mean the same thing.

What is an on-demand scanner?
http://www.webopedia.com/TERM/O/on_demand_scanner.html
"scans your computer system for viruses only when prompted to do so by
the computer user"

What is an on-access scanner?
http://www.webopedia.com/TERM/O/on_access_scanner.html
"runs in the background and actively scans your computer system
constantly for viruses and other malicious threats, for the entire
duration that your system is powered on"

Since many users aren't familiar with the lingo, I also use realtime and
manual mode to describe use of the AV program. However, it isn't just a
case of unimportant semantics. Racehorse and ironhorse are different
despite the sharing of a word so it is important you don't use one to
mean the other. Confusion abounds if you use terms incorrectly.
 
S

Sir_George

G. Morgan said:
So when FF downloads a file and the status shows "scanning for
viruses", is that on-demand or on-access or both ?

If you initiate the scan, that's on-demand. If it is automatic, that's
on-access.
 
F

FromTheRafters

G. Morgan said:
Right, are you hinting about each other's installation routine? A-la "You must
first uninstall our competitor's product".
Yes. I'm not so sure that they are always straightforward about the
reason for not allowing coexistence.
 
F

FromTheRafters

G. Morgan said:
So when FF downloads a file and the status shows "scanning for viruses", is that
on-demand or on-access or both ?
Neither, it is an additional layer of protection. By 'on demand' and 'on
access' we are talking about file scanning. I assume the download scan
is done in memory before a file to scan is created. If you have 'on
access' scanning enabled, it would scan the content again when the
appropriate (hooked) file manipulation is attempted.
 
F

FromTheRafters

Sir_George said:
If you initiate the scan, that's on-demand. If it is automatic, that's
on-access.
So, the automatic scan at startup is on access in your opinion?
 
Ad

Advertisements

F

FromTheRafters

VanguardLH said:
Beauregard said:
G. Morgan said:
VanguardLH wrote:

How are on-access and realtime different to you?

Maybe he meant "on-demand".

I guess I did. I even said "... to on-access, or more properly
on-demand."

"Realtime" indicates the program is running all the time, scanning away
at any new file or file change it finds. "On-[demand/access]" means that
I've selected a file (perhaps by a right-click) and want to scan it
(this one file) now.

But in the end, isn't it a matter of semantics?

On-demand is, by the word "demand", something that you instigate
manually. On-access means anytime the object is accessed, and not just
when you happen to perform a scan. On-access means sometime of the AV
program is resident. It may be a background process, an NT service, or
a system hook into the file I/O (which obviously you don't get to see a
process listed for it so a "program" isn't running).

On-access and on-demand have always been differentiated from each other.
They do not mean the same thing.

What is an on-demand scanner?
http://www.webopedia.com/TERM/O/on_demand_scanner.html
"scans your computer system for viruses only when prompted to do so by
the computer user"

What is an on-access scanner?
http://www.webopedia.com/TERM/O/on_access_scanner.html
"runs in the background and actively scans your computer system
constantly for viruses and other malicious threats, for the entire
duration that your system is powered on"

Since many users aren't familiar with the lingo, I also use realtime and
manual mode to describe use of the AV program. However, it isn't just a
case of unimportant semantics. Racehorse and ironhorse are different
despite the sharing of a word so it is important you don't use one to
mean the other. Confusion abounds if you use terms incorrectly.

Excerpt from:

http://sophosru.arizona.edu/savlinux/doc/installsavl_7_eng.txt

====================================================
3.2 How Sophos Anti-Virus protects your computer
------------------------------------------------

"On-access scanning" is your main method of protection
against viruses. Whenever you access (copy, save, or
open) a file, Sophos Anti-Virus scans the file and
grants access to it only if it does not pose a threat
to your computer.

In addition to on-access scanning, Sophos Anti-Virus
enables you to run an "on-demand scan" to provide
additional protection. An on-demand scan is a scan
that you initiate. You can scan anything from a single
file to everything on your computer that you have
permission to read. You can either manually run an
on-demand scan or schedule it to run unattended.

================[end of excerpt]====================

Some other antivirus company's explanations include things aside from
file access as 'on access' but they are wrong IMO. They are helping to
confuse 'on access' with all other types of resident 'real time'
scanning that may not be a result of the user or system accessing a file.

In modern Windows systems, the registry is a data struture (not a file)
and some 'real time' scanners can monitor it for changes or look for
evidence of malware infestation. This does not make them 'on access'
scanners even though they *are* 'active' or 'real time' or 'resident'
scanners.

It could very well be that all of these terms are now exactly the same.
Once again, the terminology may be changing without my being notified. :blush:)

But, I'll stick by the notion that 'on access' refers only to file
content scanning initiated by the hooking of the invocation of the
filesystem to access a file, and that there are other ways to be
'resident' protection and operate in 'real time' and be 'active' without
being 'on access'.
 
S

Sir_George

FromTheRafters said:
So, the automatic scan at startup is on access in your opinion?

I have never found it important enough to debate issues of this nature.
I stated what seems logical to me and if you disagree, well, OK.
 
V

VanguardLH

FromTheRafters said:
VanguardLH said:
Beauregard said:
G. Morgan wrote:

VanguardLH wrote:

How are on-access and realtime different to you?

Maybe he meant "on-demand".

I guess I did. I even said "... to on-access, or more properly
on-demand."

"Realtime" indicates the program is running all the time, scanning away
at any new file or file change it finds. "On-[demand/access]" means that
I've selected a file (perhaps by a right-click) and want to scan it
(this one file) now.

But in the end, isn't it a matter of semantics?

On-demand is, by the word "demand", something that you instigate
manually. On-access means anytime the object is accessed, and not just
when you happen to perform a scan. On-access means sometime of the AV
program is resident. It may be a background process, an NT service, or
a system hook into the file I/O (which obviously you don't get to see a
process listed for it so a "program" isn't running).

On-access and on-demand have always been differentiated from each other.
They do not mean the same thing.

What is an on-demand scanner?
http://www.webopedia.com/TERM/O/on_demand_scanner.html
"scans your computer system for viruses only when prompted to do so by
the computer user"

What is an on-access scanner?
http://www.webopedia.com/TERM/O/on_access_scanner.html
"runs in the background and actively scans your computer system
constantly for viruses and other malicious threats, for the entire
duration that your system is powered on"

Since many users aren't familiar with the lingo, I also use realtime and
manual mode to describe use of the AV program. However, it isn't just a
case of unimportant semantics. Racehorse and ironhorse are different
despite the sharing of a word so it is important you don't use one to
mean the other. Confusion abounds if you use terms incorrectly.

Excerpt from:

http://sophosru.arizona.edu/savlinux/doc/installsavl_7_eng.txt

====================================================
3.2 How Sophos Anti-Virus protects your computer
------------------------------------------------

"On-access scanning" is your main method of protection
against viruses. Whenever you access (copy, save, or
open) a file, Sophos Anti-Virus scans the file and
grants access to it only if it does not pose a threat
to your computer.

In addition to on-access scanning, Sophos Anti-Virus
enables you to run an "on-demand scan" to provide
additional protection. An on-demand scan is a scan
that you initiate. You can scan anything from a single
file to everything on your computer that you have
permission to read. You can either manually run an
on-demand scan or schedule it to run unattended.

================[end of excerpt]====================

Some other antivirus company's explanations include things aside from
file access as 'on access' but they are wrong IMO. They are helping to
confuse 'on access' with all other types of resident 'real time'
scanning that may not be a result of the user or system accessing a file.

In modern Windows systems, the registry is a data struture (not a file)
and some 'real time' scanners can monitor it for changes or look for
evidence of malware infestation. This does not make them 'on access'
scanners even though they *are* 'active' or 'real time' or 'resident'
scanners.

It could very well be that all of these terms are now exactly the same.
Once again, the terminology may be changing without my being notified. :blush:)

But, I'll stick by the notion that 'on access' refers only to file
content scanning initiated by the hooking of the invocation of the
filesystem to access a file, and that there are other ways to be
'resident' protection and operate in 'real time' and be 'active' without
being 'on access'.

Since when has the registry not been a file? You don't know it consists
of multiple .dat files? When you open a file to edit it, a portion or
all of the file gets loaded in memory. Rarely and only in very special
situations are you directly editing the bytes on the hard disk. You
edit the buffered copy of the file that is loaded in memory. The
registry is a set of .dat files that get loaded in memory. The memory
copy gets referenced thereafter. Changes to the registry *do* get
copied into the .dat *files*; otherwise, no changes to the registry
would be permanent across Windows sessions.

I gave file I/O system hook as one example of an on-access method of
monitoring for changes. If that's all an AV product monitored then it
would be of little value except in a static (non-running) OS. Changing
memory is another on-access monitor. Looking for buffer overruns or
processes trying to access memory outside their address range is memory
monitoring.

File I/O hook and memory monitoring are real-time operations. They
perform at the time the event occurs. They are resident because they
are kernel-mode handlers loaded by the OS. Some products are resident
but not real-time, like the old Microsoft Defender or the free version
of WinPatrol that poll for changes. They are resident but not
real-time. Not all of the security product may be continuously resident
but get loaded when a resident portion of it needs it. Resident may be
considered requiring a background process versus hooking into the system
API. An event causes by the system hook could load a process so then it
becomes resident. But all of these are on-access monitors.

On-access mode:
- May be real-time. May not be real-time.
- May be resident. May not [all] be resident.
- You configure this monitor. You don't call it.

On-demand mode:
- You call this monitor. You initiate the event.
- Might already be active/resident when you call it. Might not.

Neither on-access or on-demand mode are limited to just file monitoring
unless that's a limitation of the security product you are using. It is
not a limitation to the operational mode being discussed.
 
Ad

Advertisements

F

FromTheRafters

VanguardLH said:
FromTheRafters said:
VanguardLH said:
Beauregard T. Shagnasty wrote:

G. Morgan wrote:

VanguardLH wrote:

How are on-access and realtime different to you?

Maybe he meant "on-demand".

I guess I did. I even said "... to on-access, or more properly
on-demand."

"Realtime" indicates the program is running all the time, scanning away
at any new file or file change it finds. "On-[demand/access]" means that
I've selected a file (perhaps by a right-click) and want to scan it
(this one file) now.

But in the end, isn't it a matter of semantics?

On-demand is, by the word "demand", something that you instigate
manually. On-access means anytime the object is accessed, and not just
when you happen to perform a scan. On-access means sometime of the AV
program is resident. It may be a background process, an NT service, or
a system hook into the file I/O (which obviously you don't get to see a
process listed for it so a "program" isn't running).

On-access and on-demand have always been differentiated from each other.
They do not mean the same thing.

What is an on-demand scanner?
http://www.webopedia.com/TERM/O/on_demand_scanner.html
"scans your computer system for viruses only when prompted to do so by
the computer user"

What is an on-access scanner?
http://www.webopedia.com/TERM/O/on_access_scanner.html
"runs in the background and actively scans your computer system
constantly for viruses and other malicious threats, for the entire
duration that your system is powered on"

Since many users aren't familiar with the lingo, I also use realtime and
manual mode to describe use of the AV program. However, it isn't just a
case of unimportant semantics. Racehorse and ironhorse are different
despite the sharing of a word so it is important you don't use one to
mean the other. Confusion abounds if you use terms incorrectly.

Excerpt from:

http://sophosru.arizona.edu/savlinux/doc/installsavl_7_eng.txt

====================================================
3.2 How Sophos Anti-Virus protects your computer
------------------------------------------------

"On-access scanning" is your main method of protection
against viruses. Whenever you access (copy, save, or
open) a file, Sophos Anti-Virus scans the file and
grants access to it only if it does not pose a threat
to your computer.

In addition to on-access scanning, Sophos Anti-Virus
enables you to run an "on-demand scan" to provide
additional protection. An on-demand scan is a scan
that you initiate. You can scan anything from a single
file to everything on your computer that you have
permission to read. You can either manually run an
on-demand scan or schedule it to run unattended.

================[end of excerpt]====================

Some other antivirus company's explanations include things aside from
file access as 'on access' but they are wrong IMO. They are helping to
confuse 'on access' with all other types of resident 'real time'
scanning that may not be a result of the user or system accessing a file.

In modern Windows systems, the registry is a data struture (not a file)
and some 'real time' scanners can monitor it for changes or look for
evidence of malware infestation. This does not make them 'on access'
scanners even though they *are* 'active' or 'real time' or 'resident'
scanners.

It could very well be that all of these terms are now exactly the same.
Once again, the terminology may be changing without my being notified. :blush:)

But, I'll stick by the notion that 'on access' refers only to file
content scanning initiated by the hooking of the invocation of the
filesystem to access a file, and that there are other ways to be
'resident' protection and operate in 'real time' and be 'active' without
being 'on access'.

Since when has the registry not been a file? You don't know it consists
of multiple .dat files?

It is *stored* as multiple .dat files.
When you open a file to edit it, a portion or
all of the file gets loaded in memory. Rarely and only in very special
situations are you directly editing the bytes on the hard disk. You
edit the buffered copy of the file that is loaded in memory.

Yes, but when you open a file for reading or writing it is a filesystem
call. It is that which is hooked by the 'on access' scanner.
The
registry is a set of .dat files that get loaded in memory. The memory
copy gets referenced thereafter. Changes to the registry *do* get
copied into the .dat *files*; otherwise, no changes to the registry
would be permanent across Windows sessions.

Yes, but in session registry changes don't involve filesystem calls, yet
can be monitored by 'real time', resident, active antimalware scanners.
I gave file I/O system hook as one example of an on-access method of
monitoring for changes. If that's all an AV product monitored then it
would be of little value except in a static (non-running) OS. Changing
memory is another on-access monitor. Looking for buffer overruns or
processes trying to access memory outside their address range is memory
monitoring.

File I/O hook and memory monitoring are real-time operations. They
perform at the time the event occurs. They are resident because they
are kernel-mode handlers loaded by the OS. Some products are resident
but not real-time, like the old Microsoft Defender or the free version
of WinPatrol that poll for changes. They are resident but not
real-time. Not all of the security product may be continuously resident
but get loaded when a resident portion of it needs it. Resident may be
considered requiring a background process versus hooking into the system
API. An event causes by the system hook could load a process so then it
becomes resident.

That I agree with, and it is/was my point. Most people treat all of
those as being the same.
But all of these are on-access monitors.

Here, I disagree, but no matter. It is a minor point. On access has
always meant to me that the scanner has the chance to intervene in the
process of executing the program file that you or the system invoked, as
opposed to the quarantining and manual (old school) scanning of the
program file when it first arrived on the system.
On-access mode:
- May be real-time. May not be real-time.
- May be resident. May not [all] be resident.
- You configure this monitor. You don't call it.

On-demand mode:
- You call this monitor. You initiate the event.
- Might already be active/resident when you call it. Might not.

Neither on-access or on-demand mode are limited to just file monitoring
unless that's a limitation of the security product you are using. It is
not a limitation to the operational mode being discussed.

I mostly agree, but I also agree with this part of the above:

The emphasis being mine...

" 'On-access scanning' is your main method of protection
against viruses. Whenever you access (copy, save, or
open) a *file*, Sophos Anti-Virus scans the *file* and
grants access to it only if it does not pose a threat to
your computer."

Again, my point was that the terms are not all equivalent as suggested
by others, and on this we seem to agree.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top