Should I be checking the files skipped during a virus scan?

[RayLopez99]

'The process cannot access the file because it is being used by
another process' is what the avast! anti-virus program says for
various files.

A list of files is given.

Should I be checking to see whether these same files are not being
scanned or accessed the next time I scan? Or is that being too
paranoid? I bet it might well be the same files every time (for
example SQL server files that get loaded on boot, and I bet SQL Server
will not like other programs messing with it while it is running).

Since all these AV programs do not have a 100% detection rate, perhaps
we should not bother with such trifles (I was surprised in a recent
graph of various AV programs to find the otherwise fine Kaspersky AV
program, which has detected malware where others have failed, did not
have a 100% success rate detecting rootkits, though it scored in the
top 10% overall for AV programs)

RL

 

[Paul]

'The process cannot access the file because it is being used by
another process' is what the avast! anti-virus program says for
various files.

A list of files is given.

Should I be checking to see whether these same files are not being
scanned or accessed the next time I scan? Or is that being too
paranoid? I bet it might well be the same files every time (for
example SQL server files that get loaded on boot, and I bet SQL Server
will not like other programs messing with it while it is running).

Since all these AV programs do not have a 100% detection rate, perhaps
we should not bother with such trifles (I was surprised in a recent
graph of various AV programs to find the otherwise fine Kaspersky AV
program, which has detected malware where others have failed, did not
have a 100% success rate detecting rootkits, though it scored in the
top 10% overall for AV programs)

RL

A "boot time scan" option may be available.

http://forum.avast.com/index.php?topic=38158.0

Paul

 

[RayLopez99]

A "boot time scan" option may be available.

http://forum.avast.com/index.php?topic=38158.0

    Paul

Yes but unless you want to scan the entire C drive on boot (which
apparently can take hours though mine takes about 30 minutes), and
during such time you will not be able to log onto your PC, that's not
an option except on occasion--and now that you mention it, I might do
it at least once on a weekend night.

Thanks for that. In the meantime I'll just monitor which files are
being not accessed so I can see if it's the same ones.

RL

 

[FromTheRafters]

'The process cannot access the file because it is being used by
another process' is what the avast! anti-virus program says for
various files.

A list of files is given.

Should I be checking to see whether these same files are not being
scanned or accessed the next time I scan? Or is that being too
paranoid? I bet it might well be the same files every time (for
example SQL server files that get loaded on boot, and I bet SQL Server
will not like other programs messing with it while it is running).

Since all these AV programs do not have a 100% detection rate, perhaps
we should not bother with such trifles (I was surprised in a recent
graph of various AV programs to find the otherwise fine Kaspersky AV
program, which has detected malware where others have failed, did not
have a 100% success rate detecting rootkits, though it scored in the
top 10% overall for AV programs)

RL

It depends on the files in question.

Hibernation file, swap file, and some others probably don't need to be
scanned anyway.

 

[David H. Lipman]

It depends on the files in question.

Hibernation file, swap file, and some others probably don't need to be scanned anyway.

If a given file's File Handle is held open by the OS then they can't be opened for a scan
or for any other type of examination.

 

[FromTheRafters]

If a given file's File Handle is held open by the OS then they can't be opened for a scan
or for any other type of examination.

If he boots from a Live CD, no file's on the suspect drive should have
handles to be "held open". I don't think that they need to be scanned,
although I suppose the hiberfil.sys file *could* be used to re-establish
a tainted environment.

The SQL files he has guessed at would be another story, but the
alternative boot would leave them unhandled as well.

 

[David H. Lipman]

If he boots from a Live CD, no file's on the suspect drive should have handles to be
"held open". I don't think that they need to be scanned, although I suppose the
hiberfil.sys file *could* be used to re-establish a tainted environment.

The SQL files he has guessed at would be another story, but the alternative boot would
leave them unhandled as well.

Yes. Booting outside the affected OS or scanning using a surrugate PC negates the problem
of open File Handles.

 

[RayLopez99]

If he boots from a Live CD, no file's on the suspect drive should have
handles to be "held open". I don't think that they need to be scanned,
although I suppose the hiberfil.sys file *could* be used to re-establish
a tainted environment.

The SQL files he has guessed at would be another story, but the
alternative boot would leave them unhandled as well.

This is not a Live CD boot, which I agree solves the problem of open
files.

RL

 

[FromTheRafters]

This is not a Live CD boot, which I agree solves the problem of open
files.

I understood that. Maybe you could prune your autostarts to free up
those SQL files too. I still think pagefile.sys and hiberfil.sys are two
other files not being scanned and that's okay. There are other files,
locations, and types of files that don't need to be scanned so if these
are an issue (in use by another program) they can also be ignored.

It depends on the files in question.

 

[RayLopez99]

I understood that. Maybe you could prune your autostarts to free up
those SQL files too. I still think pagefile.sys and hiberfil.sys are two
other files not being scanned and that's okay. There are other files,
locations, and types of files that don't need to be scanned so if these
are an issue (in use by another program) they can also be ignored.

It depends on the files in question.

OK thanks. I decided to buy a paid for AV program, as they have
slightly better protection and more features than the free versions.
Plus the price is right: for three machines about $20-$60 a year,
that's no sweat. My philosophy is that if a minor malware gets
detected and deleted, I will not do a ghost restore, but if a major
one does, I might do a ghost restore of the entire HD (since I ghost
HD images once a week, and data every day)

If you have any AV favorites please let me know. I'm just researching
the issue and will probably pick one of the top five (the same names
keep coming up, Norton usually being at the top). Here is one such
site: http://anti-virus-software-review.toptenreviews.com/index.html
(appears to be a paid-for ad site by the #1 program listed there,
which is BitDefender AV, which PC Mag disagrees with, but it's useful
to show the features paid-for AV programs have), and here is another
independent site: http://www.av-comparatives.org

RL

 

[FromTheRafters]

OK thanks. I decided to buy a paid for AV program, as they have
slightly better protection and more features than the free versions.
Plus the price is right: for three machines about $20-$60 a year,
that's no sweat. My philosophy is that if a minor malware gets
detected and deleted, I will not do a ghost restore, but if a major
one does, I might do a ghost restore of the entire HD (since I ghost
HD images once a week, and data every day)

That sounds like a good plan to me. Basically a "recovery" scheme to
remove a malware infestation, and a restore scheme to roll back to a
previously uninfested state (which also works for hardware failure). The
key being to keep the rollback points as current as possible so that you
don't have to reinstall patches and recently installed programs or data
files.

The "recovery" scheme also usually has the added feature of "prevention"
which used to be the main idea behind scanners in general and "real
time" scanning in particular. An advantage to paid for AV is that you
can get support from them, IMO that is the real value for the money.

If you have any AV favorites please let me know. I'm just researching
the issue and will probably pick one of the top five (the same names
keep coming up, Norton usually being at the top). Here is one such
site: http://anti-virus-software-review.toptenreviews.com/index.html
(appears to be a paid-for ad site by the #1 program listed there,
which is BitDefender AV, which PC Mag disagrees with, but it's useful
to show the features paid-for AV programs have), and here is another
independent site: http://www.av-comparatives.org

I think I mentioned that one elsewhere. It's hard to find a completely
unbiased testing facility these days. These guys used to be good, but I
don't know if they even do this anymore.

old link:

http://agn-www.informatik.uni-hamburg.de/vtc/ART2000B/art2000b.htm

If I needed paid for protection at this time, I would probably get the
full Avira program