ncage

Level 2
Today i was little disappointed with Bitdefender 2017 TS. Finding the answer to a simple question wasn't easy:

"Does bitfender automatically scan the system perodically (quick and/or full) by default (especially with autopilot enabled)"

I was quite surprised of the answer (no):
https://forum.bitdefender.com/index.php?/forum/478-protection/

Am i being to hard on bitdefender? It seems like any AV solution these days should be doing periodic scans. Heck even windows defender does periodic quick scans. I used to use NIS and its automatic scan system was actually quite awesome (least it used to be). It would detect when i wasn't using my system and do a scan during those times. If i logged in when it was doing one it would halt the scan and pick back up were it left off when it detected i left the computer. Not saying im going back to NIS. I will stick with bitdefender. We all know the "Tierney of the default" problem which probably means 95% of bitdefender users aren't doing scans. So yes its easy to schedule them but.....

Thoughts?
 

Durden

Level 2
I'm no expert but I'm not sure that an automatic system scan (an always on or idle scan) is necessary for real world protection these days , especially if the security software is constantly monitoring active applications/processes for any suspicious behavior (behavior blocker or whatever) and protecting your online surfing ..what I mean is that "dormant" malware that just sits there doing nothing is harmless .. so even though Bitdefender doesn't automatically scan your pc (I didn't knew that it doesn't) , other components keeps you secured .
 

AtlBo

Level 26
Verified
Content Creator
I noticed that 360 Total Security does some sort of regular scanning/monitoring while using Bouncer. This was a couple of years ago. It scanned very regularly downloads (like almost every minute or two), Documents, 360 sandbox, temps, and desktop. It appeared to do this in a circular pattern one area after another. 360 regular scans (quick/full) must be put on a schedule. It doesn't do those automatically.

I am surprised to hear that Bitdefender does not auto-scan. You could take a look with Bouncer and see what activity it finds. Just leave it in monitoring mode. It's pretty interesting to see and maybe Bitdefender is more active than understood, even if it doesn't run formal system scans.
 
Last edited:
5

509322

Today i was little disappointed with Bitdefender 2017 TS. Finding the answer to a simple question wasn't easy:

"Does bitfender automatically scan the system perodically (quick and/or full) by default (especially with autopilot enabled)"

I was quite surprised of the answer (no):
https://forum.Bitdefender.com/index.php?/forum/478-protection/

Am i being to hard on Bitdefender? It seems like any AV solution these days should be doing periodic scans. Heck even Windows defender does periodic quick scans. I used to use NIS and its automatic scan system was actually quite awesome (least it used to be). It would detect when i wasn't using my system and do a scan during those times. If i logged in when it was doing one it would halt the scan and pick back up were it left off when it detected i left the computer. Not saying im going back to NIS. I will stick with Bitdefender. We all know the "Tierney of the default" problem which probably means 95% of Bitdefender users aren't doing scans. So yes its easy to schedule them but.....

Thoughts?
This applies for all AVs with real-time protection:

1. When install AV perform full system scan
2. Afterwards all you need is file scanning

Scheduled scans are a waste of system resources and do not really increase protection

Malware that is on a system but has not yet been launched is inactive and considered "inert"

When some event on the system triggers the launch of a known malicious file, then the real-time protection will resolve\neutralize the file at that time according to the security soft settings
 

Prayag

Level 4
This applies for all AVs with real-time protection:

1. When install AV perform full system scan
2. Afterwards all you need is file scanning

Scheduled scans are a waste of system resources and do not really increase protection

Malware that is on a system but has not yet been launched is inactive and considered "inert"

When some event on the system triggers the launch of a known malicious file, then the real-time protection will resolve\neutralize the file at that time according to the security soft settings
totally agree with you.
Scheduled scanning is a wastage of resources and power(in case you use a laptop) while not increasing protection much.
 
5

509322

totally agree with you.
Scheduled scanning is a wastage of resources and power(in case you use a laptop) while not increasing protection much.
Lots of people do not understand:
  • that schedule scans are not necessary
  • why and how real-time protection is sufficient
  • inert malware on the system poses no threat as long as it remains inert
  • inert malware cannot auto-launch
A scheduled full-system scan will catch a known malicious file earlier, but at the cost of needlessly consuming system resources.
 
5

509322

It is the same concept that applies to scanning archives. Scanning archives during a full-system scan is not necessary and is a waste of resources.

There are those that just cannot stand the thought of having malware anywhere on their system, even if that malware poses no threat. And I won't even get into the topic of remnants left over after malware is removed.
 

Winter Soldier

Level 25
Lots of people do not understand:
  • that schedule scans are not necessary
  • why and how real-time protection is sufficient
  • inert malware on the system poses no threat as long as it remains inert
  • inert malware cannot auto-launch
A scheduled full-system scan will catch a known malicious file earlier, but at the cost of needlessly consuming system resources.
I disagree, a malware can bypass AV realtime protection not being inert in the system.

A scan, in case of non-detected infection (via realtime), can detect changes in the header file, or noticing from the header, that the execution of the code is moved to the last section instead of at the first one, the presence of multiple headers of the file (some malwares store the old header before infecting a file, to know when it has finished the infection's cycle, and running other steps of the attack), detect suspicious system calls or libraries to use API procedures to read/write files, sections of code within the file placed in a suspect way (the presence of many zeros in one section and the rest of the code, for example).

If one or more of these details are verified in a suspected file, the AV is allowed to detect a possible infection and all of that via on demand/scheduled scan.
 
  • Like
Reactions: frogboy and AtlBo
5

509322

I disagree, a malware can bypass AV realtime protection not being inert in the system.

A scan, in case of non-detected infection (via realtime), can detect changes in the header file, or noticing from the header, that the execution of the code is moved to the last section instead of at the first one, the presence of multiple headers of the file (some malwares store the old header before infecting a file, to know when it has finished the infection's cycle, and running other steps of the attack), detect suspicious system calls or libraries to use API procedures to read/write files, sections of code within the file placed in a suspect way (the presence of many zeros in one section and the rest of the code, for example).

If one or more of these details are verified in a suspected file, the AV is allowed to detect a possible infection and all of that via on demand/scheduled scan.
If the malicious process is not running and loaded into active memory it is inert.

Any user can scan their system as they wish. However, the ones that complain that full-system scans impact the system resources have no one to blame but themselves. Then vendors solve this system resource impact problem by using a low-priority scan. Next those same users complain that a full-system scan takes way too long.

Those users that adhere to general scan and real-time protection recommendations as I mentioned earlier have no problems.
 
  • Like
Reactions: harlan4096

Winter Soldier

Level 25
You're disappointed that your AV doesn't eat up all your resources randomly? ...
If the malicious process is not running and loaded into active memory it is inert.

Any user can scan their system as they wish. However, the ones that complain that full-system scans impact the system resources have no one to blame but themselves. Then vendors solve this system resource impact problem by using a low-priority scan. Next those same users complain that a full-system scan takes way too long.

Those users that adhere to general scan and real-time protection recommendations as I mentioned earlier have no problems.
If you (all of you guys) are programmers then you should know things but the usual problem is:

how can you really understand why a hash table needs to be rehashed if you never implemented one and tried to optimize it?

How can you really understand OS scheduling if you never tried to implement a minimal kernel yourself and saw the problematics behind it?

How can you really understand the difference between reserved and committed memory if you never implemented even the simplest memory allocator ?

I think there are two kinds of knowledge, the one you have because someone explained to you something and you understood it, and the one you get because you've thrown your mind on tons of books, writing thousands of code lines and testing things.

Believe me, there is a lot of difference in understanding!
 
  • Like
Reactions: frogboy
5

509322

If you (all of you guys) are programmers then you should know things but the usual problem is:

how can you really understand why a hash table needs to be rehashed if you never implemented one and tried to optimize it?

How can you really understand OS scheduling if you never tried to implement a minimal kernel yourself and saw the problematics behind it?

How can you really understand the difference between reserved and committed memory if you never implemented even the simplest memory allocator ?

I think there are two kinds of knowledge, the one you have because someone explained to you something and you understood it, and the one you get because you've thrown your mind on tons of books, writing thousands of code lines and testing things.

Believe me, there is a lot of difference in understanding!
It's your prerogative to take on the entire AV industry if you wish. I can tell you right now it will fall on deaf ears since these recommendations have been vetted for years.
 
5

509322

No problem Lockdown, just a difference of opinion :)
I understand where you are coming from. The publishers refined their products to meet the expectations for general users who have complained for years that scans impact the system and\or take too long. So the vendors make adjustments to accommodate the users. Not everyone is going to agree on product implementations.
 

Winter Soldier

Level 25
I understand where you are coming from. The publishers refined their products to meet the expectations for general users who have complained for years that scans impact the system and\or take too long. So the vendors make adjustments to accommodate the users. Not everyone is going to agree on product implementations.
I don't know where you're going...I do not speak of system impact, simply I've quoted your post where there are technical inconsistencies to which I replied according to knowledge.
Nothing else to add from my part.
 
  • Like
Reactions: frogboy
I disagree, a malware can bypass AV realtime protection not being inert in the system.

A scan, in case of non-detected infection (via realtime), can detect changes in the header file, or noticing from the header, that the execution of the code is moved to the last section instead of at the first one, the presence of multiple headers of the file (some malwares store the old header before infecting a file, to know when it has finished the infection's cycle, and running other steps of the attack), detect suspicious system calls or libraries to use API procedures to read/write files, sections of code within the file placed in a suspect way (the presence of many zeros in one section and the rest of the code, for example).

If one or more of these details are verified in a suspected file, the AV is allowed to detect a possible infection and all of that via on demand/scheduled scan.
Lockdown already stated that a scheduled scan will catch something missed by realtime earlier, why was it necessary to respond like this.

What you are stating is something that can bypass realtime and land on the system could at a later time be caught where it was not because of either being new or modified known malware by a scheduled scan once these updates come into play, the same can be accomplished with an occasional on demand, with no need to have the extra system impact. So as he stated, realtime is sufficient.
 

ncage

Level 2
A very interesting discussion guys. How about a file server? i would think it would be best to protect your clients from malware and not just assume everyone pulling files off the file server is going to have a full up to date AV. I'm assuming the AV product on a file server wouldn't scan a file before serving to to someone who is just requesting over the network but i definitely could be wrong on that one (considering it won't be consumed by the file server directly).

How about at least a rootkit scan so maybe updated heuristics, definitions, ect...would pick up the rootkit that was previously not detected. I would think just autoscanning feature would not pick it up.