03-08-2009 04:22 AM
I have been copying around 8000 old email files to another hard drive. When I did this NAV 10.0 Autoprotect popped up repeatedly (about 25 times) and said the mail files contained a virus which it had repaired. If however I go back and force a scan on the original 8000 files on the original hard drive it finds no viruses and it only takes about 3 secs to scan. On the new hard drive it takes around 45mins. It appears there is some type of cache or file that NAV holds to tell it not to do a full scan again. What do I need to do to force a complete re-scan again. I apresume there is some cache or file I have to delete first.
BTW - these are mostly all compressed archives if this is what is making a difference.
03-10-2009 09:54 AM
03-10-2009 04:17 PM
03-10-2009 08:33 PM
It sounds like the scan is not really starting, or it's exiting prematurely, instead of exiting successfully. Could you please open the Norton AntiVirus application, and look at the History to see if the scan is listed?
Also, can you please look in the following folder
(you can go to that folder using copy & paste by selecting "Go to Folder…" from the Finder's Go menu)
Do you have any files that begin with SymAVScan? If so, please send me a private message and I'll give you an email address where you can send those log files to (click on my name to the left to send me a private message).
Thanks, and sorry for the problems.
03-11-2009 01:30 AM
Checked history. Scan is listed with the following data
Norton AntiVirus Scan Report
Scan started at 03/11/2009, 07:24:05 PM
Scan ended at 03/11/2009, 07:24:07 PM
Items selected to scan
The folder Macintosh HD/Users/andrewrallings/Library/Mail/
Repair was enabled
The scan completed
0 total infection(s) found
0 infection(s) found in archives
0 infected archive(s) found
0 file(s) repaired
0 file(s) could not be repaired
0 file(s) were quarantined
There is 8000+ files in this folder but as you can see the scan completes in seconds. No crash log in the crash area.
Note also I am running NAV 10.1.2 on OSX 10.5.6. As I said before, duplicate this folder and it will scan successfully for a while but then stops scanning. Not sure what triggers the change in behaviour.
03-11-2009 10:33 AM
Norton AntiVirus does have a feature called QuickScan. It knows which files have changed since it last scanned them, and only scans the files that changed. It's quite possible that it is not scanning anything, but only checking the QuickScan file.
When you say one of the files is a virus, which virus is it? Is it EICAR, or something you downloaded that you know is a virus? To test, go to this Web site and download the test virus called EICAR: http://www.eicar.org/anti_virus_test_file.htm. You fill first need to turn off AutoProtect (just for a couple of minutes) so that it doesn't delete the file when you download it. Then download the test EICAR virus, and move it into the folder. Then try re-scanning it. (You can then turn AutoProtect back on).
03-11-2009 05:04 PM
Thanks for your reply. I think I am getting close to understanding this.
Firstly, what started this was moving 8000 old (5 years old) mail files and then NAV popping up and telling me there were about 20 files containing viruses in them (3 variants on Word and Excel macros). They got cleaned up successfuly - no problem there. What worried me is why my weekly scheduled full hard disk scans was not finding these viruses there already - if it has missed those what else do I have sitting around. What concerned me even more is that after making a copy of the 8000 files - NAV would scan them (and find and clean the viruses) but after one or two scans would stop scanning them further. Now I know the issue is the QuickScan file - to force a full rescan of my whole hard drive I would clearly need to delete this file. I presume one is held per volume (hard drive). Where is this file located so I can delete it and force a rescan on my whole hard drive to check it is clear.
03-11-2009 06:06 PM
First, the weekly virus scan will detect any viruses it encounters. If you are positive there is a virus in one of the files in the folder, you should try scanning it manually. If the manual scan fails to find an infection, it is either something we removed from our definitions, or we have a bug somewhere.
When you copy a file, AutoProtect scans the file. AutoProtect (Auto File Scan in the interface) does not make use of the QuickScan file because it is assumed that if you just modified a file, we definitely need to scan it--no need to look at the QuickScan file. However it does update the QuickScan file, so weekly scheduled scans may not look at the file unless you modify the files first.
Scheduled scans and manual scans do use the QuickScan file. However there should never be a virus on your computer, regardless of QuickScan. So I guess the question here is why you think you need to force a scan of the entire drive? Is it because you are sure the scan is missing a file? Any infected file should be found regardless of QuickScan because we should have detected the virus the first time.
The QuickScan file is indeed per-drive. It is located at the root of the drive, in an invisible file. You will need to use Terminal to remove it. Open up the Terminal application, and type
sudo rm -f /.SymAVQSFile
and press return. You will need to enter your password. This will remove the QuickScan file from your home drive. To remove it from external drives, use this command:
sudo rm -f /Volumes/<name of drive>/.SymAVQSFile
You will need to restart after performing this to force Norton AV to notice the QS file is gone.
03-12-2009 02:18 AM
OK. A few questions there which I will answer below. Firstly however I am still not able to force a full re-scan of the drive. I had already found the .SymAVQSFile from the home drive. But it keeps reappearing and nothing changes in terms of scanning behaviour. I hadn't been rebooting after removing the file previously but this doesn't seem to make a difference either. I even tried quitting all the NAV and Scheduler related processes I could find first and then deleting the file and rebooting. Still no difference. Interestingly each time it comes back (even after the reboot) the file is immediately around 30Mb in size - at this size it is suggesting it is somehow getting back all the previous info in the QuickScan file (does it keep a secondary backup somewhere that it uses to copy back if the file is deleted)
Now to your questions.
1. Why didn't these viruses get found when they first were copied to this machine. Not really sure but they have been on my drive for 5 years and they are compressed mail archives (OSX Mail .emlx files). Maybe the "Scan Compressed Archives" setting was off in the NAV preferences but really not sure. I would guess though that the the fact I hadn't looked or touched them in years combined with the QuickScan file is why they hadn't been picked up in recent years.
2. Do I think I still have a virus - not in the mail area as I have caused a scan on these by duplicating the mail directory, doing a scan, deleting the old mail folder and renaming the new one. However what I am not sure of is if other folders exist on the drive that are similarly not being scanned and have viruses. I need to find a way to force the QS file to go permanently away and force a full drive scan - at 250Gb on this drive duplicating,scanning and renaming all the folders is not such a viable option :-).
Thanks for your help
03-12-2009 02:54 PM
The QuickScan file is re-created as needed, so AutoProtect will re-created it pretty quickly after you delete it since AutoProtect is always scanning things in the background. However, another thing that will reset the QuickScan file is a new definitions set. If LiveUpdate downloads new virus definitions the QuickScan file is not consulted, because we might be able to detect viruses we couldn't before so we force a full rescan of everything when new definitions are installed.
With this in mind, I'd suggest the following. First, use the navx command from the command line with the -a option. This will show you every file the virus scanner encounters. If it doesn't look like a long enough list, then for some reason our file & directory iteration is not finding all the files, which is obviously a problem. To do this, open up Terminal, and type "sudo navx -a " and then the path to the directory you want to scan (you can drag the folder into the Terminal window if you like).
If that seems to work OK, then try waiting until this evening to re-scan. We post virus definitions every Thursday, and once you get new definitions the QuickScan file should not be consulted anymore. You can check the Norton AntiVirus application to find out if new definitions have been downloaded yet. Once you see the new definitions are in place, try the same navx command again. The scan should take noticeably longer. If that's not the case, something else is very wrong.