Long Running Virus and Spyware Scans - Malware Team Findings RRS feed

  • General discussion

  • Hi All,


    We're been attempting to reproduce the 'Scan will not stop problem'.  For those interested, I've listed our findings below. 


    1. The Scan is starved for CPU or memory:  In systems where memory is low and files abound, the scan will take longer to complete a system scan.  A CPU/memory hog scenario, such as the recent P2P memory/CPU consumption problem, is one where the scan is starved for memory/CPU and could run indefinitely.  If you believe you are afflicted by the P2P memory consumption problem, your options are to disable P2P networking (see Steve's post above) or wait for our upcoming service release (within 10 days). 
    2. The Scan is starved for resources:  Antivirus software is one of the most memory and CPU intensive applications to be found on common user systems.  As such, confirm you do not have other rogue applications competing for CPU or memory.
    3. System is physically low on memory: Windows will run with minimum memory configurations.  As soon as you add more software, your system will slow as it pages to disk.  If you are running a system at the bare memory minimums, please consider upgrading to more memory.  XPSP2 minimum is 128MB.  Vista minimum is 512MB.
    4. The Scan is running into lots of data:  Recently, I worked with another forum poster.  It turns out the user's system contains over 120GB of files.  Of this, a high percentage were multimedia files.  The conversation turned to 'are there really multimedia threats?'.  Answer is yes and no.  Multimedia threats tend to exploit a known problem with a particular multimedia application version.  In most cases, the vendor of the application is informed of the exploit and quickly releases a fix to address the problem thus rendering the multimedia threat ineffective.  And with public awareness of having to update your softwre, this probably explains the reduction of multimedia threats.  Can OneCare make the decision for all users to not scan multimedia files?  The answer is no.  However, OneCare does allow users to manually add a folder which will no longer be scanned.  REALIZE that in doing this, this folder and it's contents are no longer protected by OneCare.  The user in question was okay with this risk and added the folders.  Their scans ran quick thereafter.  The user also decided to occasionally initiate a manual scan on the excluded locations.
    5. The Scan engine is stuck scanning a particular file:  If you are experiencing a scenario where the scan seems to be 'stuck' scanning the same file for hours, it would be helpful to submit the file to https://www.microsoft.com/security/portal/submit.aspx .  In the comments section, please note "the scanner is stuck scanning the submitted file".
    6. Another antivirus product is installed:  More often then not, we find OEM systems come preloaded with antivirus software.  Users are often not aware of all software on their system.  If you're not sure of what software is installed on your system, consider reviewing your software inventory (in XP, open Control Panel - Add/Remove Programs.  In Vista, open Control Panel - Programs and Features).  For applications you're not familiar with, search on the application name to learn more.  As a general rule, I like to know what I have installed.
    7. Much user data is stored on external drives: On older XP systems, USB v1.1 port speeds could gate how fast (or slow) the Scan takes to complete.  On Vista, attaching an older USB v1.1 external device can have the same effect at slowing down any file transfers and scans.  If this is your scenario, consider the above item #4 or removing the USB v1.1 bottleneck.
    8. Bugs in the Scanner: Yep, these do happen. :-)  Folks who help with #5 above can help to reduce these bugs.  Ultimately, we need to make the product more resilient to file variations and the other unexpected hiccups.  We are actively working on improving the product as well as adding more smarts into how we attempt to determine time-intensive scans and how to reduce the time without compromising your security. 

    Final note.  I want to thank those of you who have worked hard to understand your own situations and then share them with others in this forum.  I know folks like Steve Boots, OneCareBear, and myself are very appreciative of your help and support.  For those who continue to have such performance problems, I suggest reviewing my profile and contacting me directly.  With your help, I'm sure we can figure out the root cause for some of the bottlenecks.


    Last note: 

    One of my older XP systems with 128MB RAM has a hard time running OneCare.  As such, I opted for one of those FREE antivirus products.  Yep, that did the trick and my system ran much faster and I was quite happy.  Immediately, I decided to see if it would stop a virus my family runs into on a regular basis.  I browsed to the website and sure enough, this FREE antivirus product let the threat through (a lovely trojan which steals my passwords).  Oh well, OneCare might not be as fast, but my data is safe.



    Thursday, January 31, 2008 3:24 AM