Excluding archive files from virus scan

TheMSsForum.com: The Microsoft Software Forum

I have around 5GB of disk space on my Windows 2000 laptop occupied by
archives bundled up using the "tar" facility, and compressed with
gzip. This is really slowing down a complete system scan. McAfee's
antivirus lets the user specify what files to exclude from scanning.
Is there much risk associated with doing this? What is the likelihood
of some malware adding itself to a file within one of the archive
files (each archive file is several hundred megabytes)? Most of the
archive is data, though there are some unix shell scripts and possibly
some binary executables. I unpack items from those archive files as
needed (about once every 2-3 days).
Top

Re: Excluding archive files from virus scan by David

David
Thu Feb 02 18:44:59 CST 2006

From: "Dubious Dude" <Shifty@eyes.com>

| I have around 5GB of disk space on my Windows 2000 laptop occupied by
| archives bundled up using the "tar" facility, and compressed with
| gzip. This is really slowing down a complete system scan. McAfee's
| antivirus lets the user specify what files to exclude from scanning.
| Is there much risk associated with doing this? What is the likelihood
| of some malware adding itself to a file within one of the archive
| files (each archive file is several hundred megabytes)? Most of the
| archive is data, though there are some unix shell scripts and possibly
| some binary executables. I unpack items from those archive files as
| needed (about once every 2-3 days).

It depends upon your computing practices and what being stored in the archive files.

You might want to keep all the archive files in one folder and exclude that folder from "On
Demand" and "On Access" scanning. Then when you manipulate a particular archive, copy it
from the source location to a non-excluded location. Extract and update the files then move
teh archive back into the excluded location. This way you are scanning the archive that is
being modified and updated but don't scan all the archive folders when you access the
excluded folder.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


Top

Re: Excluding archive files from virus scan by Art

Art
Thu Feb 02 18:45:14 CST 2006

On Thu, 02 Feb 2006 19:01:24 -0500, Dubious Dude <Shifty@eyes.com>
wrote:

>I have around 5GB of disk space on my Windows 2000 laptop occupied by
>archives bundled up using the "tar" facility, and compressed with
>gzip. This is really slowing down a complete system scan. McAfee's
>antivirus lets the user specify what files to exclude from scanning.
>Is there much risk associated with doing this? What is the likelihood
>of some malware adding itself to a file within one of the archive
>files (each archive file is several hundred megabytes)? Most of the
>archive is data, though there are some unix shell scripts and possibly
>some binary executables. I unpack items from those archive files as
>needed (about once every 2-3 days).

Best to keep such archives on a separate drive which is not normally
attached to the laptop. That way they are safe from deletion by
malicous code. Before attaching the drive, scan your active drive for
malware.

Second best to risk leaving them on a active drive or partition and
exclude the .tar.gz extension from av scanning. They won't be messed
with by most malware ... I'd be most concerned with those few
malicious progams that delete files.

Don't disable archive scanning since there are a couple of compressed
executeable file types that won't be scanned which definitely should
be scanned.

I dunno if McAfee allows for excluding files from scanning that have
been previously scanned (based on a checksum). Kaspersky has that
feature built into its new version 6 to speed up scanning. Something
like that would work very nicely in your situation. It's the wave of
the future, without a doubt, since the better scanners are otherwise
really bogging down even the fastest PCs.

Art
http://home.epix.net/~artnpeg
Top

Re: Excluding archive files from virus scan by Dubious

Dubious
Sat Feb 04 15:07:37 CST 2006

David H. Lipman wrote:
> From: "Dubious Dude" <Shifty@eyes.com>
>
> | I have around 5GB of disk space on my Windows 2000 laptop occupied
> | by archives bundled up using the "tar" facility, and compressed
> | with gzip. This is really slowing down a complete system scan.
> | McAfee's antivirus lets the user specify what files to exclude
> | from scanning. Is there much risk associated with doing this?
> | What is the likelihood of some malware adding itself to a file
> | within one of the archive files (each archive file is several
> | hundred megabytes)? Most of the archive is data, though there are
> | some unix shell scripts and possibly some binary executables. I
> | unpack items from those archive files as needed (about once every
> | 2-3 days).
>
> It depends upon your computing practices and what being stored in
> the archive files.
>
> You might want to keep all the archive files in one folder and
> exclude that folder from "On Demand" and "On Access" scanning.

What I'm considering is similar. Basically, exclude those files
from scanning.

> Then when you manipulate a particular archive, copy it from the
> source location to a non-excluded location. Extract and update the
> files then move teh archive back into the excluded location. This
> way you are scanning the archive that is being modified and updated
> but don't scan all the archive folders when you access the excluded
> folder.

The files are several hundred megabytes each, compressed. They don't
take kindly to being moved, though they can be coerced to do so. I
also don't trust windows enough to think that the cumulative
probability of corruption with numerous acts of copying will be be as
insignificant as I would like (I don't have hard numbers, just
experience with Windows).

Fortunately, though, I think I can avoid it even within your
suggestions. This is because these archives are truly archives, in
the sense that they will not be deliberately changed by myself in the
future. Material will only be retrieved from them. The only thing I
was guarding against is if there is a means by which they can be
tampered with in a harmful way.

For example, one such archive corresponds to my email. Sometimes, I
will extract mail folders and use my local mail reader to view mail.
I was wondering if there was malware that might append something
malicious to a mail message within the mail file within the archive.
I would then be viewing the once-harmless message, not realizing that
it has a destuctive attachment.

Of course, for this addition to be made to the message while the
mailbox was still within the archive would require some acrobatics,
since the archive is compressed. I'm not sure if malware is this
sophisticated these days. A simplistic approach would be to unpack
the archive behind the scenes, possibly on-the-fly, add the malicious
content wherever it needs to be put, thus creating a 2nd archive with
which the 1st one will be replaced. For the longest time, I simply
assumed that this was way too round-about to be practical, but it
probably doesn't hurt to actually inquire about it before excluding
many Gigabytes of content from scanning.

On the other hand, knowledge of the feasibility of infecting
compressed archives might not actually change my new to-be-defined
scanning practices, since scanning 5GB is simply takes too long. My
hard drive will die before too long at this rate.

I do have the archives burnt to CDRs, but I access their contents
frequently enough to make it worthwhile keeping copies on the hard
drive. As well, I don't want to subject the CDRs to too much handling
or use, since they are meant to preserve the content for as long as
possible. I've had 1 CDR go bad in 3 years; I don't burn that many
CDRs, so that represents a 5-10% failure rate after 3 years. The
CDR was one of the best I could find for reliability at the time,
Kodak's Ultima gold CDs.

Thanks for commenting.
Top

Re: Excluding archive files from virus scan by Dubious

Dubious
Sat Feb 04 15:35:00 CST 2006

Art wrote:
>Dubious Dude <Shifty@eyes.com> wrote:
>>I have around 5GB of disk space on my Windows 2000 laptop occupied by
>>archives bundled up using the "tar" facility, and compressed with
>>gzip. This is really slowing down a complete system scan. McAfee's
>>antivirus lets the user specify what files to exclude from scanning.
>>Is there much risk associated with doing this? What is the likelihood
>>of some malware adding itself to a file within one of the archive
>>files (each archive file is several hundred megabytes)? Most of the
>>archive is data, though there are some unix shell scripts and possibly
>>some binary executables. I unpack items from those archive files as
>>needed (about once every 2-3 days).
>
> Best to keep such archives on a separate drive which is not normally
> attached to the laptop. That way they are safe from deletion by
> malicous code. Before attaching the drive, scan your active drive for
> malware.

Unfortunately, the laptop is the only piece of computing equipment.

> Second best to risk leaving them on a active drive or partition and
> exclude the .tar.gz extension from av scanning. They won't be messed
> with by most malware ... I'd be most concerned with those few
> malicious progams that delete files.

Yes, that's seems to be the option at this point.

> Don't disable archive scanning since there are a couple of compressed
> executeable file types that won't be scanned which definitely should
> be scanned.

Agreed. I will exclude only selected files, not entire classes of
files based on file type.

> I dunno if McAfee allows for excluding files from scanning that have
> been previously scanned (based on a checksum). Kaspersky has that
> feature built into its new version 6 to speed up scanning. Something
> like that would work very nicely in your situation. It's the wave of
> the future, without a doubt, since the better scanners are otherwise
> really bogging down even the fastest PCs.

Well, the multi-hundred-megabyte archives (compressed) have been
scanned before, and they will not be changing (at least, not
deliberately by myself). The only thing I was trying to rule
out is that malware actually modifies content (like email) within
the archive, so that when I extract it and view it, it goes into
action. Same with *.doc files and PDF files. There are relatively
few windows executables within the archives.

I have never seen a reference to the feature of excluding previously
scanned files based on a checksum, at least for Norton AV, LavaSoft
Ad-Aware, and SpyBot S&D. I was googling to see where Kaspersky keeps
the checksum info, and noted the controversy in their approach.
Interesting option to keep in mind. Thanks for your comments.
Top