Skipped Items

coolcool1227

BitDefender 2010 has a new feature called SmartScan, which decreases the duration of the scan by adding clean files to a cache so that they will be skipped at the next scan if the files have not been accessed or modified in any way. If a file that is already present in the cache is accessed, then it will be removed from the cache.

I have some queries about Bitdefender Skipped Items

1) Is this "Cache" created by Bitdefender is different for the same files (e.g C:\Windows) scanned through "Deep System Scan" ' and "Contextual Menu Scan"?

2) What type of files are added to skipped items other than the criteria "Clean"?

3) Does this Bitdefender cache will be cleared after restarting the PC?

4) If I run "Deep System Scan" first then "Context Menu Scan" of Same Drives, the time span of "Context Menu Scan", will the time span of Scan be lower?

5) What is the path of this Bitdefender Cache?

6) Does it occupy space on harddisk?

Hoping detailed reply

Regards

Unknown

Hello ONT,

I will try to respond to your questions in the exact order you asked:

1) The "Cache" created by Bitdefender is the same for all types of scans*, also for all the scanned files . Once you ran a scan, the clean files are moved to this Cache. Also, BitDefender is scanning all the files and processes accessed in real time. These are also added to the same cache if they are clean.

2) Yes, only the clean files are moved to this Cache. When you will start a scan, BitDefender will first check this Cache in order to know what files it will skip. Also, once a file from the Cache is modified, it will automatically be removed from the cache list and BitDefender will scan it again in order to make sure the file is clean.

3) The Cache will not be deleted when you reboot or turn off your PC.

4) Yes, if you run a Deep system scan the cleaned files will be added to the Cache list. Then, when you will run another type of scan the time span should be lower.

5) The path for the Cache is:

C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner

and the data is stored in: smartscn.dat, smartscn.inc2 and smartscn.inc3

6) The Cache can store up to 50 000 files. In this way it cannot occupy to much space on the hard disk. Also, the scanning process would not be efficient anymore if it would be bigger.

You can also check the size on disk for these 3 files.

Should you need any information please do not hesitate to contact us.

Thank you.

coolcool1227

Hello ONT,

I will try to respond to your question in the exact order you asked:

1) The "Cache" created by Bitdefender is the same for all types of scans*, also for all the scanned files . Once you ran a scan, the clean files are moved to this Cache. Also, BitDefender is scanning all the files and processes accessed in real time. These are also added to the same cache if they are clean.

2) Yes, only the clean files are moved to this Cache. When you will start a scan, BitDefender will first check this Cache in order to know what files it will skip. Also, once a file from the Cache is modified, it will automatically be removed from the cache list and BitDefender will scan it again in order to make sure the file is clean.

3) The Cache will not be deleted when you reboot or turn off your PC.

4) Yes, if you run a Deep system scan the cleaned files will be added to the Cache list. Then, when you will run another type of scan the time span should be lower.

5) The path for the Cache is:

C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner

and the data is stored in: smartscn.dat, smartscn.inc2 and smartscn.inc3

6) The Cache can store up to 50 000 files. In this way it cannot occupy to much space on the hard disk. Also, the scanning process would not be efficient anymore if it would be bigger.

You can also check the size on disk for these 3 files.

Should you need any information please do not hesitate to contact us.

Thank you.

Dear Carmen Cernev

Thanks for prompt response

I've some more queries regarding subject

1)How long the Bitdefender Cache can store files? I mean e.g if I scan a pen drive of my colleague, a Device Detection Scan, and some files are stored in Bitdefender Cache as skipped items, but this pen drive seemingly not plug into my PC in future, so how long these files saved in Cache even if they are not accessed in any way?

2)And in reply to sixth query, you only mention the max no. of files and not the max. size of Cache.I mean the max. size may be occupied by a single file,may be by two or may be by e.g 46780 files.

Regards

Unknown

Hello ONT,

I am very sorry for the late response to your queries.

1) The Bitdefender Cache will store the files until they will be modified again. However, these files will not be skipped forever. They will be scanned first time, second time, forth time, 8th time, and so on. In this case we can make sure that the file is still clean. If it is then it will stay in cache and it will be skipped during the scanning process.

Regarding your example, since the file you would scan from the pen drive will never be accessed again, unfortunately it will stay in the cache. But you do not need to worry about that because the number was raised to 100 000 files in the cache.

2) The Cache does not have a maximum size and it will not be very big because it is just a database where there are stored the location and the date when the clean files were last modified.

Please let me know if I can provide you with any other information regarding this issue.

Thank you.

coolcool1227

Dear Carmen Cernev

I understood precisely your reply and I didn't feel resentment on your late response.I think one should not be impatient in such a multitude of queries in this forum.

Regards

coolcool1227

Hello Carmen Cernev

How do I see the list of files added to skipped items?

coolcool1227

1)Is there any way to see what files are added to skipped items?

2)Does the SmartScan feature of Bitdefender depends on file formats e.g exe, dll, lnk, ttf, inf, sys, com, chm, zip, rar etc or any file can be added to skipped items ?

3)The path for the Cache is:

C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner

and the data is stored in: smartscn.dat, smartscn.inc2 and smartscn.inc3

During the scan e.g Deep System Scan or On-Line Scan, does this cache be also scanned or it'll be excluded by default, if yes, does the skipped items removed from the list as the cache is accessed? Putting an other way if this cache is accessed by Bitdefender or other security software during scan, will the files added to skipped items remain in the list or removed?

alexcrist

1)Is there any way to see what files are added to skipped items?

No.

2)Does the SmartScan feature of Bitdefender depends on file formats e.g exe, dll, lnk, ttf, inf, sys, com, chm, zip, rar etc or any file can be added to skipped items ?

No.

3)During the scan e.g Deep System Scan or On-Line Scan, does this cache be also scanned or it'll be excluded by default, if yes, does the skipped items removed from the list as the cache is accessed?

Smartscan database is automatically managed by BitDefender (including new entires or removals).

Internal technical details and exact working method are not publicly available at this time.

Cris.

salytwo

Hello all,

I have a question. Can I exploit the network property of bitdefender to create a shared folder for a specific computers not shared for all computers?

Q2: How I can add windows explorer to a firewall save process? I mean some time bidefender block the process of win explorer from browsing another computer in my network? add: even ping command block from bitdefender.

thanks a lot

srinivasr

What happens when new virus definitions are out? will the cache gets deleted and generated again? as all the files needs to be scanned for new virus?

rootkit

Hi and welcome to our forums.

Please note that if a file was changed by the user or by another software, that file will not be skipped during the scan and it will rescanned again.

In some cases when the guys from our lab introduce some new routines in the engine, the "cache" can be reset and the scan process starts from zero.

Thank you.

srinivasr

I understand. But my question is there is a possibility for some files to become virus after the new virus update isn't it? so when that files are not opened by me it wont get modified but still the virus will be present in my system as i have not modified it and the scans will skip unmodified files. so there should be a mechanism to take care this such that when whole new virus definition set is introduced the cache should get cleared and all the files should be checked for new virus.

rootkit

Welcome back srinivasr

Not every file is added in that database.

The files added to the database are system files, executables any other files.

For your question, I have an answer: if a file from the SmartCache database is declared infected by our lab, a definition will be created.

After this, the update will be pushed on the server. When the product is updated(ant the definition is included in that update), the database will be erased and the SmartCache will start from zero. The files will be added again and the process can continue without user intervention.

The described situation is like worst case scenario and that file will be deleted/disinfected by our product.

Thank you.

srinivasr

ok thanks i understand now. Skipped files are unmodified files but the system files only get added to database. I have another question too. How the cache gets generated? for example i have 2 OS one is WIN XP and another one is WIN 7 X64. i use both and i access files from both the windows. so the files get modified when Bitdefender is not running. As i have installed BD only in Win 7 how does bitdefender recognize it? or will the change in the files gets detected when i open Win 7 again?

rootkit

Hi

The database can remember up to 300.000 files and in the near future, this number will be extended.

The cache gets generated when the PC is used. Our engines continuously scan your machine(on access scanning) and also during a full scan, some files are added to Smart Cache.

In your case, you can install Bitdefender in the other OS and you will have 2 independent caches and it's a lot easier to scan all the files from both operating systems.

The files from the cache are automatically checked after each update.

Thank you.

srinivasr

ok. I have another question too. Auto scan is based on this Smart cache right? when only system files and .exe files gets added to this file how will the auto scan scans all the files in PC except boot sector?

rootkit

Hi

The Auto Scan is a new feature and was introduced for the first time in Bitdefender 2012.

I've answered to your questions in general and I've took in the equation all versions of our product(the antivirus engine).

Auto Scan is a light on-demand scan that silently scans all your data for malware and takes the appropriate actions for any infections found. Auto Scan finds and uses time-slices when system resource usage falls below a certain threshold to perform recurring scans of the entire system.

Benefits of using Auto Scan:

-It has close to zero impact on the system.

-By pre-scanning the entire hard-disk, future on-demand tasks will be completed extremely fast.

-On-access scanning will also take significantly less time.

Basically is a continuous scan that helps to populate the Smart Cache. It doesn't scan boot sectors, registry and all the other options. The Real Time protection takes care of these.

It's recommended to run a full system once a month.

Thank you.

srinivasr

Thanks. But as i told in my older post auto scan scans only the modified files after the last scan it does not scan all the files. why is that so?

so auto scan is accessing the database to scan the files. so how that process works? how will the auto scan create a new entries in database?

as it scans only the modified files?

rootkit

Welcome back srinivasr

The Auto Scan scans the modified files from the last scan and all the new files created in the system. It is useless to scan the same file again if the file was not modified.

The Auto Scan verifies if that files is in the database or not. If not, it will be scanned. If was declared clean during a previous scan, it will be skipped. I've told you that you don't have to worry if a file from the cache is declared infected because when definition enters in the product, the cache is automatically cleared.

The Auto Scan creates entries for the new files found in the system. When the scan cycle is finished and a new cycle is started(I've told you what is Auto Scan in my last post), only the modified files and new files are scanned.

Thank you.

coolcool1227

Hi Christian

You talked about the definitions added, so the Smart Scan Database is not scanned by Heuristics and what about the False Positives? How the Smart Scan database is scanned if the Auto Scan is turned OFF or in 2011 version?

rootkit

Hi Omer

In that situation, the Smart Cache is populated by the On Access scanner and when a Full System Scan is run. In a case of a false positive, the file is removed from the database in the update process. In some special cases, when a new version of our engine is released or some routines enter in the product, the Smart Cache is cleared and the process starts over again.

Thank you.

coolcool1227

1) In all this discussion, I forget to ask what attributes of the files which are considered to be necessary for the file authenticity/verification is checked/compared by SmartScan feature. e.g. Checksum, Digital Signature, Timestamp, Hashes etc or some UIDs assigned to the files are compared or combination of above?

2) Does the SmartScan feature depend on the File System?

3) What if the file (that was skipped in the last scan) is moved to another location?

rootkit

Hello

Welcome back.

I will now answer to your questions:

1. This answer is classified, I can not provide you details about the criteria that we use to add files to Smart Scan. All you need to know is that those files are 100% clean and no malware will be added by mistake in there.

2. No, is does not depend on the file system. All known file systems from Windows, Mac OS X and Linux are recognized by Smart Scan.

3. If the file is moved to another location, it will still be considered clean and the database will be updated during the next scan(made by the user on demand or by Auto Scan).

Have a great weekend!

coolcool1227

Some more information from an old topic

BitDefender comes with a predefined whitelist of known files (list which is updated whenever necessary, through Automatic Updates, along with other types of updates) as well as a prebuild Smart Scan database. These contain signatures for files that are known to be clean, thus preventing the other engines from scanning them.

This filtering ensures that files are not scanned until they are changed/replaced and is not based on file name and/or location.

All in all, once a system file gets modified, it will be detected if it contains known malicious code.

Cris.

rootkit

Hi

Yes, Cris is right.

With the release of the 2012 products, some improvements were maid to the engines and the whitelisting process is a lot faster.

Also, during the scan process, files are added to the whitelist using also the cloud system.

Take care.

JAGUARS

A question:

i> Does the whole file (declared clean) move to the Cache or some information associated with it?

JAGUARS

ii> I want to know the criteria of saying the file is "Clean"? e.g if I run a scan, total scanned items are 58600, skipped items are 5800 and infected items are 100, but still the 58600-100=58500 items are cleaned but whole of them are not considered as Skipped Items and move to SmartScan Cache and only 5800 items are declared as skipped items….Why?

coolcool1227

1) If the infected files are present in SmartScan Cache which the Bitdefender has no detection or failed to detect even by Heuristics and AVC, are there any chances that such infection will be spread from the that Cache or it is like Quarantine, in which the quarantined infections are stored in special format and thus no chances of spreading?

2) Why the whole database will be erased if it contains infected files which are detected later upon adding their detection? Only the infected instances should be re-scanned.

3) If the definitions entered into the product, the cache is automatically cleared, so the cache is repeatedly cleared during 24 hrs. And SmartScan feature would be appeared useless if I did scan e.g on daily basis and also when the definitions entered to product and the Auto Scan is disabled.

rootkit

Hi

I will answer to your questions:

@ JAGUARS

1. The file are classified using a sophisticated system. Only files can be added to the database, not processes, and not pieces of code.

2. The Cache is populated in time, depending how often do you scan your PC. A file can be added to the database only if was scanned at least once

If that file is changed or moved, it will be rescanned.

Not all files are added to the database and please remember that in this database only we only store important files(.exe, .dll, .dat, .com, .bat, etc files)

The photos, videos or music and other things like this are not added there.

@ ONT

1. No. The database is encrypted and only the product can access it. There are not stored physically in that database, there are only classified with location, name, etc

2. That measure is taken for security reasons. If we do not clean that database, the product can not compare the files with the latest update because they are excluded by default.

3. Rarely a file from that database is classified as malware, we have taken all the measures.

So the database is not cleared at 24h, it could be stored in the initial state for months.

The database is populated by Auto Scan and by the On-Demand module(when the user runs a scan manually).

Take care.

coolcool1227

Respected Christian, your statement is in contradiction with Cris.

You are saying ....There are not stored physically in that database, there are only classified with location, name, etc

and

If that file is changed or moved, it will be rescanned.

while Cris said ....This filtering ensures that files are not scanned until they are changed/replaced and is not based on file name and/or location.

Kindly clarify.

rootkit

Hello

Since 2010, many changes were made to the Smart Cache and I posted the latest features.

Take care.

JAGUARS

So the whole file is copied to database?

rootkit

Hi

No, only the hash is stored. Is like a "fingerprint" for a file.

You have here all the details:

http://en.wikipedia.org/wiki/Hash_function

Take care.

coolcool1227

Once I faced the situation that the skipped items were much greater than the scanned items shown in the scan log. Is this normal?

rootkit

Hello

Did you also scanned the memory?

Have you saved the scan log?

Take care.

coolcool1227

Hi Christian

You talked about the Whitelist, so

1) How do I see the whitelist?

2) What is the need of Cloud System to add the files to the whitelist? Does the whitelist can't be updated during regular BD updates?

3) How do the user know when the Cloud System add the files to the whitelist? Any indication.

And regarding the skipped items greater than scanned items, I had a topic here. Kindly this issue is not occurring normally and not for every scans. I also faced this issue in BD2013 Beta.

rootkit

Hello

This started to be a more general discussion and I will move the topic to Bitdefender 2012 area.

I will return with answers to those questions.

Thank you!

columbo

Thanks for the move, it's been an interesting read.

rootkit

Hi

Now let's get back to those questions:

1. You can't is encrypted and embedded in the engine.

2. The cloud system is used to check the availability of the file added in the database, but the update process is the one that adds a file or removes one from there.

3. You won;t know, that's the magic thing. All process is automatic without user intervention.

Regarding those skipped items, you have here the answer, the official one:

http://forum.bitdefender.com/index.php?sho...ost&p=92876

Thank you!

coolcool1227

Kaspersky has iSwift and iChecker technologies for doing the the same job as SmartScan feature by Bitdefender, but the files detected by iSwift and iChecker are listed in the logs. So I would like to suggest that there is an option to see the list of Skipped Items. Kindly consider above said only a suggestion, not a comparison.

Hi

Regarding those skipped items, you have here the answer, the official one:

http://forum.bitdefender.com/index.php?sho...ost&p=92876

Thank you!

It is not clear to me and if you don't mind, kindly elaborate it further? And why it does not happen every time even when I run the Scan Tasks one after the other without updating the product?

rootkit

Hello

If we log those elements, the scan log will have thousands lines and it is unpractical.

Usually the skipped items appear only in Full System scan.

Take care.

coolcool1227

I still not understand why the Skipped Items were greater then the Scanned Items displayed during the Device Detection Scan Task?

Why the files inside the archives and installers are usually not added to Skipped Items e.g if i've the ISO of the Microsoft Office 2007, no files are added to skipped items even if I keep the ISO file to the location?

rootkit

Hello

Can you please provide me a scan log so I can further investigate this situation?

Take care.

coolcool1227

Hi

1) Log File: 1345635600_1_01

It is the contextual scan of the ISO of the Hiren Boot CD, but there are no skipped items although there are also no over-compressed items. Why? Isn't it possible that the whole archive (regardless of its size and pack/re-pack during scanning) can be added to the skipped items or the files inside the archive or both can't be added to skipped items?

2) Can the Over-Compressed items be added to the Skipped Items as they posses no threat.

3) Log Files: 1345636066_1_01, 1345644204_1_01, 1345647151_1_01

At-last I managed to find out the way how the skipped items can be greater than the scanned items. I dis-connect the internet connection, so no updates for Bitdefender, then I run the Full System Scan Tasks three time one after the other without restarting the system. And found that the skipped items can be greater than scanned items until any change is made to the SmartScan Cache and/or any change is made to the file already in the skipped items list. But I think the total items (Scanned + Skipped Items) should be same for all the above three scans. Is this correct?

/applications/core/interface/file/attachment.php?id=10159" data-fileid="10159" rel="">1345635600_1_01.xml

/applications/core/interface/file/attachment.php?id=10160" data-fileid="10160" rel="">1345636066_1_01.xml

/applications/core/interface/file/attachment.php?id=10161" data-fileid="10161" rel="">1345644204_1_01.xml

/applications/core/interface/file/attachment.php?id=10162" data-fileid="10162" rel="">1345647151_1_01.xml

coolcool1227

Any reply?

coolcool1227

Any reply would be appreciated.

coolcool1227

Hi Christian

Would you like to reply after asking for the logs?

rootkit

Hello

Let's see now:

There were no skipped items in the first case because those files from the ISO archive are unknown and they are not added to the Smart Cache. Archives and some types of files are not added to this database(like music, photos, etc).

For the second situation, the answer is no and those elements will be logged separately.

The skipped items can be grater than the ones scanned. If you run several scan one after another, more files will be skipped because they are added to the database and since they were not modified from the last scan, they are automatically skipped(clean files).

In the last scan log, the number of skipped items is greater and this is perfectly normal.

Take care.

coolcool1227

Hi Christian

You talked about the definitions added, so the Smart Scan Database is not scanned by Heuristics ........

I need the answer of above asked query and also this one "Is the Smart Scan Database can be build by scanning the files by the protection methods Signature, Heuristics, Generic Detection, and Behavioral Detections etc"?

coolcool1227

3. If the file is moved to another location, it will still be considered clean and the database will be updated during the next scan(made by the user on demand or by Auto Scan).

@ JAGUARS

2. The Cache is populated in time, depending how often do you scan your PC. A file can be added to the database only if was scanned at least once

If that file is changed or moved, it will be rescanned.

There is contradiction in your own statements about the moving of the file. First you said that the added moved file is considered clean, only SmartScan database will be updated and in the 2nd statement you said if the added file is moved, it will be rescanned. You are requested to clarify this as rescanning of the file and updating the database for respective files are two different things.

coolcool1227

Also you have confirmed or atleast give hint that you are using hash technology for SmartScan feature.