What are the differences between different Scan Mode of File Anti-Virus? [Closed]

[evjlsrain]

Hello everyone, I have a question regarding Scan mode in File Anti-Virus I read this descriptions about different scan modes but they are not clear enough for me https://help.kaspersky.com/KSCloud/Win3.0/en-us/84844.htm Therefore, I would like to ask for a more detail, in-depth descriptions about these scan modes and what the performance and security impacts after changing from 1 mode to another For example, the default scan mode is "Smart Mode". However, I don't find it is light-weight enough I decided to switch to "On execution" which is supposed to be faster than Smart Mode, according to my knowledge of products in various AVs from other vendors If I'm not mistaken: Performance (light -> heavy): On execution < On access < Smart mode < On access and modification Security (worst to best): same as above I would like to ask if anyone has tried to play around with these settings and does "On execution" reduce security noticeably? Thank you Regards,

[DaffyDuck]

I think this is a very relevant and useful question. If somebody from the Kaspersky team or anyone with the know how can address this it will be very useful information for the whole community.

[Vitalik93]

Scan on execution is less secure but more "light-weight" option. With this option enabled Kaspersky will scan files only when you open it. Smart scan - when you open it and when close, so if this file was changed, Kaspersky will check this changes.

[DaffyDuck]

Thank you Vitalik93. That was helpful. Looking at the Settings of my KSC Free version 20.0.14.1085 - I don't see the "Smart Mode" setting at all. Is that something that's only available in the paid subscription version?

[Vitalik93]

Smart Scan is related only to File Anti-Virus settings. Not Full Scan.

[DaffyDuck]

Smart Scan is related only to File Anti-Virus settings. Not Full Scan.

OK Got it. Too many settings to get my head around :)

[l2q129]

well, I have a question about the “on execute”.

First, I download a virus  and put it in the folder.Second, I open the folder, Kaspersky file antivirus scan it and kill it .  why? I just open the folder and not even have double clicked it.

[Flood and Flood's wife]

Hello  @l2q129,

Welcome!

• Is the problem, the Kaspersky software identified a file/object and deleted or quarantined it even tho you did not want that to happen?

Please post back with:

1. Operating system, version & build? 
2. KIS version & patch?
3. An image(s) of the problem please?

Thank you

Kaspersky software is constantly “managing” the system and everything in it. 

[l2q129]

hello,@FLOOD . thank you for reply

Yes, I think if I choose the scan mode “on execution”, the File AntiVirus should scan the file when I execute the virus.

My Operating System version is windows 10 LTSC 2019, build 1809. And KIS version is 20.0.14.1085 , patch e

choose the “on execution”. and has not changed other option.

 

then , I download a virus contained in a folder. Input the password and unpack it ,

 

enter the folder, wait a minute, it will be moved to quarantine.

 

[Flood and Flood's wife]

Hello @l2q129,

You’re very welcome!

Thank you for posting back, the information & the image.

• Protection (provided by KIS) is not restricted to one element. 

1. With this specific file/object, do you wish for it to be excluded from detection? 
2. Does the detected object fit the defined OLE criteria ?

   

Re the attached Report, my apologies😓 , I just saw it, thank you🙏 !

Thank you. 

[Flood and Flood's wife]

Hello @l2q129,

Some of the report (Chinese characters) get corrupted everytime I try to download & import in my systems, and, I really need to use a translator, unfortunately I cannot read Chinese😓 , however, I’ve PM’d  @Wesley as he’s very helpful and does read Chinese🙂👌

Best regards

[l2q129]

Hello @l2q129,

Some of the report (Chinese characters) get corrupted everytime I try to download & import in my systems, and, I really need to use a translator, unfortunately I cannot read Chinese😓 , however, I’ve PM’d  @Wesley as he’s very helpful and does read Chinese🙂👌

Best regards

 

ok, thank you for your help

[evjlsrain]

well, I have a question about the “on execute”.

First, I download a virus  and put it in the folder.Second, I open the folder, Kaspersky file antivirus scan it and kill it .  why? I just open the folder and not even have double clicked it.

exactly, I have the same issue with Kaspersky (all versions, all patches) while File Anti-Virus scan mode is set to “On execution”

as soon as I open any folder with many .exe files, Kaspersky always scans the folder and consumes up to 50% of CPU and puts some loads on disk

in fact, Kaspersky should never scan my files when I just open my folder because I set the scan mode to “On execution” → it doesn’t respect my change

Moreover, Kaspersky seems to intentionally wipes out it’s caches on reboot. Within the same boot session, when I open a previously scanned folder, files are not scanned again thanks to caches but after I reboot my PC, Kaspersky performs an automatic scan and re-collects caches => consumes CPU and disk IO

 

I have submitted a feedback via email. It was passed to my regional supporter and I provided enough information for them (trace logs and GSI logs + videos to demonstrate clearly how to reproduce the issue)

 

 

[Flood and Flood's wife]

Hello  @evjlsrain,

Welcome again!

When TS provide the diagnosis/advice/solution, please post for everyone?

Thank you🙏

[Wesly.Zhang]

hello,@FLOOD . thank you for reply

Yes, I think if I choose the scan mode “on execution”, the File AntiVirus should scan the file when I execute the virus.

My Operating System version is windows 10 LTSC 2019, build 1809. And KIS version is 20.0.14.1085 , patch e

choose the “on execution”. and has not changed other option.

 

then , I download a virus contained in a folder. Input the password and unpack it ,

 

enter the folder, wait a minute, it will be moved to quarantine.

 

Hello,

 

Try to reload or restart KIS if this behavior still exist. And then, Please tell me this issue has gone or not.

 

Regards

[l2q129]

hello,@FLOOD . thank you for reply

Yes, I think if I choose the scan mode “on execution”, the File AntiVirus should scan the file when I execute the virus.

My Operating System version is windows 10 LTSC 2019, build 1809. And KIS version is 20.0.14.1085 , patch e

choose the “on execution”. and has not changed other option.

 

then , I download a virus contained in a folder. Input the password and unpack it ,

 

enter the folder, wait a minute, it will be moved to quarantine.

 

Hello,

 

Try to reload or restart KIS if this behavior still exist. And then, Please tell me this issue has gone or not.

 

Regards

 

the problem is still exist.

forget it . I have disabled File Antivirus. Actually, I dont like static scan at all.

Fileless attack is more and more popular, right? I think the behaviour based detection is more important.

 

[evjlsrain]

hello,@FLOOD . thank you for reply

Yes, I think if I choose the scan mode “on execution”, the File AntiVirus should scan the file when I execute the virus.

My Operating System version is windows 10 LTSC 2019, build 1809. And KIS version is 20.0.14.1085 , patch e

choose the “on execution”. and has not changed other option.

 

then , I download a virus contained in a folder. Input the password and unpack it ,

 

enter the folder, wait a minute, it will be moved to quarantine.

 

Hello,

 

Try to reload or restart KIS if this behavior still exist. And then, Please tell me this issue has gone or not.

 

Regards

 

the problem is still exist.

forget it . I have disabled File Antivirus. Actually, I dont like static scan at all.

Fileless attack is more and more popular, right? I think the behaviour based detection is more important.

 

it’s not true. Signature-based and cloud-assisted protections are still ones of the most important components of kaspersky

behavioral blocker alone is insufficient. I have seen many malwares which are able to bypass Kaspersky's behavioral blocker but they are stopped by signatures although Kaspersky has one of the best BBs

by the way, physical malwares are still very popular

Kaspersky is also susceptible to adwares and PUPs so users should be aware of this kind of threat even though PUP protection is enabled in “Threads and exclusions”. ESET seems to be the most aggressive against PUPs and adwares

fileless malwares can somehow be stopped by blocking of Windows Script host, Powershell, java and some common script-delivering vectors => try to use Novirusthank Syshardener

[l2q129]

hello,@FLOOD . thank you for reply

Yes, I think if I choose the scan mode “on execution”, the File AntiVirus should scan the file when I execute the virus.

My Operating System version is windows 10 LTSC 2019, build 1809. And KIS version is 20.0.14.1085 , patch e

choose the “on execution”. and has not changed other option.

 

then , I download a virus contained in a folder. Input the password and unpack it ,

 

enter the folder, wait a minute, it will be moved to quarantine.

 

Hello,

 

Try to reload or restart KIS if this behavior still exist. And then, Please tell me this issue has gone or not.

 

Regards

 

the problem is still exist.

forget it . I have disabled File Antivirus. Actually, I dont like static scan at all.

Fileless attack is more and more popular, right? I think the behaviour based detection is more important.

 

it’s not true. Signature-based and cloud-assisted protections are still ones of the most important components of kaspersky

behavioral blocker alone is insufficient. I have seen many malwares which are able to bypass Kaspersky's behavioral blocker but they are stopped by signatures although Kaspersky has one of the best BBs

by the way, physical malwares are still very popular

Kaspersky is also susceptible to adwares and PUPs so users should be aware of this kind of threat even though PUP protection is enabled in “Threads and exclusions”. ESET seems to be the most aggressive against PUPs and adwares

fileless malwares can somehow be stopped by blocking of Windows Script host, Powershell, java and some common script-delivering vectors => try to use Novirusthank Syshardener

 

em...maybe you’re right.

thank you for sharing and advice

[Wesly.Zhang]

hello,@FLOOD . thank you for reply

Yes, I think if I choose the scan mode “on execution”, the File AntiVirus should scan the file when I execute the virus.

My Operating System version is windows 10 LTSC 2019, build 1809. And KIS version is 20.0.14.1085 , patch e

choose the “on execution”. and has not changed other option.

 

then , I download a virus contained in a folder. Input the password and unpack it ,

 

enter the folder, wait a minute, it will be moved to quarantine.

 

Hello,

 

Try to reload or restart KIS if this behavior still exist. And then, Please tell me this issue has gone or not.

 

Regards

 

the problem is still exist.

forget it . I have disabled File Antivirus. Actually, I dont like static scan at all.

Fileless attack is more and more popular, right? I think the behaviour based detection is more important.

 

it’s not true. Signature-based and cloud-assisted protections are still ones of the most important components of kaspersky

behavioral blocker alone is insufficient. I have seen many malwares which are able to bypass Kaspersky's behavioral blocker but they are stopped by signatures although Kaspersky has one of the best BBs

by the way, physical malwares are still very popular

Kaspersky is also susceptible to adwares and PUPs so users should be aware of this kind of threat even though PUP protection is enabled in “Threads and exclusions”. ESET seems to be the most aggressive against PUPs and adwares

fileless malwares can somehow be stopped by blocking of Windows Script host, Powershell, java and some common script-delivering vectors => try to use Novirusthank Syshardener

 

em...maybe you’re right.

thank you for sharing and advice

Hello

I will investigate this behavior and report to the support. Also, Thank you for informing.

Regards.