What does AVG-free do at Startup?

[Howard Schwartz]

The helpfile for the commercial version of AVG is fairly clear about what
it can/will do at startup: It has saved boot and partition sections and
system files that you can select and will check these for changes, and
check ram.


But the free addition is a confusing reduction of the programs/actions of
the regular version. It appears to insert lines in your startup files,
e.g., dblboot=1 in msdos.sys, bootup.exe in autoexec.bat etc., and
clearly scans the root directory for virusus at startup with avg_init.exe
or some such. In addition, there is a bootup option to check for the
memory
resident portion of AVG, implying that it may not perform some startup
checks, if you do not enable its memory resident part for the duration of
each computer session. Finally, my process and memory programs do not
report a distinctive program or process as the memory resident part of
AVG. AVG does warn that, this component ``becomes part of your operating
system'' (code added to io.sys ?? !!).

Does anyone know, what AVG help or website could not tell me:

a) What programs and what code does AVG free add to which particular
startup files? (e.g., autoexec.bat, msdos.sys, config.sys, win.ini,
system.ini, the registry, the startup folder, etc.) ??
b) What checks are done at startup, if you choose not to run the
memory resident scanner?
c) What options to its startup behaviour does noe have through
command line arguments (e.g., to bootup.exe) or the gui interface?

Thanks. I breath easier, knowing what my ``anti-virus'' system is
altering in the way of system files! Incidently, does its dos program
on its startup floppy act as a complete scanner like f-disk, only
run from dos instead of windows?

 

[omega]

But the free addition is a confusing reduction of the programs/actions of
the regular version. It appears to insert lines in your startup files,
e.g., dblboot=1 in msdos.sys, bootup.exe in autoexec.bat etc.,

I left the DOS scanner call in, the single line in the autoexec.bat.
That was the only file like that where I recall it writing an entry.

We must both be talking w98 here...

clearly scans the root directory for virusus at startup with avg_init.exe
or some such.

I don't have it in startup, nor run it in resident mode, so cannot say
what avg_init.exe does. I can say only that when I've run AV programs
at Windows startup in the past, they appeared to just check memory, and
that was about it, no files check. Someone else would be able to far
better answer on this...

Finally, my process and memory programs do not
report a distinctive program or process as the memory resident part of

If you asks a process manager what is loaded/hooked into the explorer, then
I think you might spot some AVG files.

AVG. AVG does warn that, this component ``becomes part of your operating
system'' (code added to io.sys ?? !!).
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\KnownVxDs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AvgCore
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AvgFsh
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\AvgCore

Does anyone know, what AVG help or website could not tell me:

a) What programs and what code does AVG free add to which particular
startup files? (e.g., autoexec.bat, msdos.sys, config.sys, win.ini,
system.ini, the registry, the startup folder, etc.) ??

I have my inctrl logs, from an install of AVG6 I did not long back. In
brief: they show the one line in the autoexec for the DOS scan, and one
file it wanted to copy to the sysdir; and then some registry entries,
including the important VXD/services integrations. I could upload those
logs. Alternatively, if this program actually uninstalls itself fully,
then you could do that uninstall, followed by a monitored reinstall.
Of course, it might be better to wait until v7, in case the design is
significantly changed.

b) What checks are done at startup, if you choose not to run the
memory resident scanner?

Do you mean at Windows startup, or do you mean initial startup of AVG,
on demand? (The first, again, I don't know, since I don't use. The second,
it doesn't say what it's doing, but there is a brief progress bar, until
the main screen is available, where I assume it is doing a quick self-check,
as well as, hopefully, checking for sign of virus load in memory.)

c) What options to its startup behaviour does noe have through
command line arguments (e.g., to bootup.exe) or the gui interface?

Sorry, I'm not succeeding at working out what you say above...

Thanks. I breath easier, knowing what my ``anti-virus'' system is
altering in the way of system files!

I have set up AVG on my machine in exactly the opposite way from how
most people want their AV. I have it as a visitor only, and do not let
it have a single reg entry or external file around, until I call it up.
When I want to run it, I import a couple of reg keys, including a pair
for the HKLM\..\Services VXD stuff. At exit, the keys are exported
back out. And also, those AVG6DB_F.DATs debris files at the root of the
partitions, which are not needed, at least in on-demand mode, they are
deleted.

Antivir, on the other hand, it was all self-contained in nature, so
did not offer me any such challenges to convert its style.

Anyway, I think my best suggestion might be the uninstall, followed by a
monitored install, to generate your own records. For your log, don't abort
the monitoring too early. That is, wait until, followed by the installer
routine, you've run AVG, and poked around with the options that you expect
to use, in order to have an accurate report. (Consider the various optional
integration extensions, for email, and context-entries, etc.)

As to what I think was your more primary question, someone else will have
to address that. But let me at least see if I got that one question right.
Is it this: When AVG runs at Windows startup, what checks does it perform?

 

[omega]

c) What options to its startup behaviour does noe have through
command line arguments (e.g., to bootup.exe) or the gui interface?

I should have been able to figure out this sentence earlier, having
plenty of experience with my own typos. It's now that I see which two
letters got inverted. "What options to its startup behaviour does one
have though command line arguments..."

On the bootup.exe, which is run at the DOS stage of things, apparently
none. It does a memory check, and then a check on files at the root of C.

I use the main GUI program in on-demand mode. And the file I launch is
avgw.exe. After its initial quick test, it waits until I select a files
scan for it to proceed with.

Looking at my installation log, I see that the entry for having AVG run
a quick check at Windows startup, it was this command:

avgw.exe /runonce

I would assume that does the simple memory and C root files check, and
that here are not settings files to have it do more.

You'd mentioned in your post something about this running from startup:
avg_init.exe. That file identifies itself as related to updating via
internet. Thus I see it as a totally optional process to launch.

AVG has an exe in the pack which you might have interest in: avgscan.exe.
It's for commandline mode. View its full options:

avgscan /? >avgscan.txt
start notepad avgscan.txt

Examples:

avgscan /qt
:: quick test - memory and files at C root only

avgscan c:\,d:\
:: scan drives c:\ and d:\

 

[Howard Schwartz]

Thanks, Karen for your observations. Indeed, I do use AVG, free edition,
with windows 9x. I need to check if the free edition includes the
programs and options you mention.

I know that AVG runs the separate program, bootup.exe from the
autoexec.bat
file, and inserts the conditional message, ``MBR has changed'' in
autoexec.bat. It also creates files boot.mbr or mbr in the root
directory.
Perhaps all bootup.exe does is compare the master boot record to a copy
AVG
has saved on disk -- a good thing.

I do not know if AVG also checks the boot sector of the active partition
-
does not appear to do that. It is always a good idea to save a copy of
the MBR, and boot sectors of all disks, and cmos settings SOMEHOW since
these data are traditional virus targets.

AVG also inserted the option, dblbuffer=1, in msdos.sys, which loads the
windows driver, dblbuff.sys. This decreases ram in dos boxes, and perhaps
allows some programs to run.

During bootup, after bootup.exe runs from autoexec.bat, a message like:

avg_dos32.init.exe

appears on my screen. However, there is no such program in the AVG
package and nothing like this seems to be loaded from the registry or
other startup files. I can only conclude this thing is called by another
program - whatever it does.

I would have thought a suite of virus programs would explicitly tell you
what lines it adds to your disk and computer files!! -- since this
behaviour mimics the actions of viruses, trojans, and worms!

I get nervous when I do not know which of my files and disk areas are
changed or added during a program's installation routine. It is not
necessarily easy to discover this by install/uninstall or log programs,
since programs such as total uninstall report added or deleted files, but
not changed files, and do not typically monitor, say changes to some
system files like io.sys, msdos.sys, the partition boot sector, etc.