Memory Items

AndreiRC

Since yesterday, I'm seeing in the BD Deep Scan a very big number of items in the memory section, "memory dump", "full dump", "disk". There are like about 3,000 items.

What's going on? Is this normal? Is there any way clear them out?

AndreiRC

Just to mention that before I didn't have more than 1,000 items in the memory.

I don't know what happened.

Perhaps someone can clarify this for me, if it's something wrong or anything.

SecurityAdvisor

Is BD finding any malware on your machine?

AndreiRC

No, it doesn't find any malware on my computer. I scanned several times.

alexcrist

Could you please post a scan log?

AndreiRC

Of course, here you go.

Product: BitDefender Antivirus 2010

Version: BitDefender Antivirus Scanner

Scanning task: Deep System Scan

Log date: 03/10/2009 11:58:18 AM

Log path: C:\ProgramData\BitDefender\Desktop\Profiles\Logs\deep_scan\1254585498_1_00.xml

Scan paths:

Path 0000: C:\

Path 0001: \

Scan Level:

Scan for viruses: Yes

Scan for adware: Yes

Scan for spyware: Yes

Scan for applications: Yes

Scan for dialers: Yes

Scan for rootkits: Yes

Scan for keyloggers: Yes

Virus Scanning Options:

Scan registry keys: Yes

Scan cookies: Yes

Scan boot sectors: Yes

Scan memory processes: Yes

Scan archives: Yes

Scan runtime packers: Yes

Scan e-mails: Yes

Scan all files: Yes

Heuristic Scan: Yes

Scanned extensions: not configured

Excluded extensions: not configured

Target Processing:

Default first action for infected objects: None

Default second action for infected objects: None

Default first action for suspect objects : None

Default second action for suspicious objects: None

Default action for hidden objects: None

Default first action for encrypted infected objects: None

Default second action for encrypted infected objects: None

Default first action for encrypted suspicious objects: None

Default second action for encrypted suspicious objects: None

Default action for password-protected objects: Log only

Scan Engines Summary

Virus signatures: 4310866

Archive plugins: 44

E-mail plugins: 6

Scan plugins: 13

System plugins: 5

Unpack plugins: 8

Basic

Scanned items: 321974

Infected items: 0 (no infected items have been detected)

Suspect items: 0 (no suspected items have been detected)

Hidden items: 0 (no hidden items have been detected during this scan)

Resolved items: 0 (no threats have been detected during this scan)

Unresolved items: 0 (no issues remained unresolved)

Advanced

Skipped items: 428976

Password-protected items: 0

Over-compressed items: 0

Individual viruses found: 0

Scanned folders: 29941

Scanned boot sectors: 3

Scanned archives: 851

Input-output errors: 14

Scanned processes: 135

Infected processes: 0

Scanned registry keys: 1145

Infected registry keys: 0

Scanned cookies: 7

Infected cookies: 0

alexcrist

Excuse me, but I don't get it... where exactly are those 3000+ items that you are talking about? Because the log clearly says that there are no detections whatsoever.

AndreiRC

No, I wasn't referring to any detections. I was referring to the items that BD Scan found in the memory area. For some reason, they went up from like 1,000 to 3,000 yesterday (I looked at the scan as it was performed, just in case you're wondering how I would know that).

It's those items that look like this one:

[system]=]C:\WINDOWS\system32\svchost.exe (full dump)

It's probably not a BD related issue. I would just like to know how can so many new memory items show up overnight. If possible, of course.

alexcrist

Basically, that only depends on your system and the processes that you run. The number of "memory items" (as you call them) is not directly proportional with the number of running processes, because every single process can load a different number of modules (DLLs), depending of it's needs.

And, for instance, if you were running a process that was having many modules, of course that the scanned items will go up. Also, every loaded module is scanned 3 times:

- one, as "memory dump"

- one, as "full dump"

- one, as "disk" (the actual file on disk)

There is no "normal" number of items in this case (as I said, it only depends on your system). You can lower this number by closing the processes that you don't need.

Cris.

AndreiRC

Ah, I see. So it depends on the modules. Alright, thanks for that explanation.

I also noticed that these "items" have like some numbers included, like [3452], for instance (that number was made-up, of course). What are those numbers signifying, if you could tell me?

alexcrist

That number is the PID (Process Identifier) of the process which that module belongs to.

So if the process with the PID 3452 loads a module named "module.dll", then that module (and all other modules of that process) will be marked with the number 3452.

The PID of your processes can be seen in TaskManager.

Cris.