I have been copying around 8000 old email files to another hard drive. When I did this NAV 10.0 Autoprotect popped up repeatedly (about 25 times) and said the mail files contained a virus which it had repaired. If however I go back and force a scan on the original 8000 files on the original hard drive it finds no viruses and it only takes about 3 secs to scan. On the new hard drive it takes around 45mins. It appears there is some type of cache or file that NAV holds to tell it not to do a full scan again. What do I need to do to force a complete re-scan again. I apresume there is some cache or file I have to delete first.
BTW - these are mostly all compressed archives if this is what is making a difference.
Have you tried drag&dropping the e-mails on the NAV icon itself?? Otherwise you could even consider using the command-line version of the NAV scanner (if you are familiar with command-line and Terminal).
Have tried command line version and drag and drop with same behaviour ie NAV returns there are 8000 files (approx) to be scanned but immediately completes the scan without any errors or scanning the files (and I know there is a virus in one of the files). If I duplicate the folder on the startup disk I can then scan the copied folder for a couple of times (and find the Virus) but eventually the behaviour appears on the duplicate, that is, NAV can see the files to be scanned but doesn’t really do the scan and just completes and exits the scan immediately. Any ideas what is causing this behaviour.
It sounds like the scan is not really starting, or it's exiting prematurely, instead of exiting successfully. Could you please open the Norton AntiVirus application, and look at the History to see if the scan is listed?
Also, can you please look in the following folder
/Library/Logs/CrashReporter/
(you can go to that folder using copy & paste by selecting "Go to Folder…" from the Finder's Go menu)
Do you have any files that begin with SymAVScan? If so, please send me a private message and I'll give you an email address where you can send those log files to (click on my name to the left to send me a private message).
Checked history. Scan is listed with the following data
Norton AntiVirus Scan Report
Scan started at 03/11/2009, 07:24:05 PM
Scan ended at 03/11/2009, 07:24:07 PM
Items selected to scan
The folder Macintosh HD/Users/andrewrallings/Library/Mail/
Summary
Repair was enabled
The scan completed
0 total infection(s) found
0 infection(s) found in archives
0 infected archive(s) found
0 file(s) repaired
0 file(s) could not be repaired
0 file(s) were quarantined
There is 8000+ files in this folder but as you can see the scan completes in seconds. No crash log in the crash area.
Note also I am running NAV 10.1.2 on OSX 10.5.6. As I said before, duplicate this folder and it will scan successfully for a while but then stops scanning. Not sure what triggers the change in behaviour.
Norton AntiVirus does have a feature called QuickScan. It knows which files have changed since it last scanned them, and only scans the files that changed. It's quite possible that it is not scanning anything, but only checking the QuickScan file.
When you say one of the files is a virus, which virus is it? Is it EICAR, or something you downloaded that you know is a virus? To test, go to this Web site and download the test virus called EICAR: http://www.eicar.org/anti_virus_test_file.htm. You fill first need to turn off AutoProtect (just for a couple of minutes) so that it doesn't delete the file when you download it. Then download the test EICAR virus, and move it into the folder. Then try re-scanning it. (You can then turn AutoProtect back on).
Thanks for your reply. I think I am getting close to understanding this.
Firstly, what started this was moving 8000 old (5 years old) mail files and then NAV popping up and telling me there were about 20 files containing viruses in them (3 variants on Word and Excel macros). They got cleaned up successfuly - no problem there. What worried me is why my weekly scheduled full hard disk scans was not finding these viruses there already - if it has missed those what else do I have sitting around. What concerned me even more is that after making a copy of the 8000 files - NAV would scan them (and find and clean the viruses) but after one or two scans would stop scanning them further. Now I know the issue is the QuickScan file - to force a full rescan of my whole hard drive I would clearly need to delete this file. I presume one is held per volume (hard drive). Where is this file located so I can delete it and force a rescan on my whole hard drive to check it is clear.
First, the weekly virus scan will detect any viruses it encounters. If you are positive there is a virus in one of the files in the folder, you should try scanning it manually. If the manual scan fails to find an infection, it is either something we removed from our definitions, or we have a bug somewhere.
When you copy a file, AutoProtect scans the file. AutoProtect (Auto File Scan in the interface) does not make use of the QuickScan file because it is assumed that if you just modified a file, we definitely need to scan it--no need to look at the QuickScan file. However it does update the QuickScan file, so weekly scheduled scans may not look at the file unless you modify the files first.
Scheduled scans and manual scans do use the QuickScan file. However there should never be a virus on your computer, regardless of QuickScan. So I guess the question here is why you think you need to force a scan of the entire drive? Is it because you are sure the scan is missing a file? Any infected file should be found regardless of QuickScan because we should have detected the virus the first time.
The QuickScan file is indeed per-drive. It is located at the root of the drive, in an invisible file. You will need to use Terminal to remove it. Open up the Terminal application, and type
sudo rm -f /.SymAVQSFile
and press return. You will need to enter your password. This will remove the QuickScan file from your home drive. To remove it from external drives, use this command:
sudo rm -f /Volumes/<name of drive>/.SymAVQSFile
You will need to restart after performing this to force Norton AV to notice the QS file is gone.
OK. A few questions there which I will answer below. Firstly however I am still not able to force a full re-scan of the drive. I had already found the .SymAVQSFile from the home drive. But it keeps reappearing and nothing changes in terms of scanning behaviour. I hadn't been rebooting after removing the file previously but this doesn't seem to make a difference either. I even tried quitting all the NAV and Scheduler related processes I could find first and then deleting the file and rebooting. Still no difference. Interestingly each time it comes back (even after the reboot) the file is immediately around 30Mb in size - at this size it is suggesting it is somehow getting back all the previous info in the QuickScan file (does it keep a secondary backup somewhere that it uses to copy back if the file is deleted)
Now to your questions.
1. Why didn't these viruses get found when they first were copied to this machine. Not really sure but they have been on my drive for 5 years and they are compressed mail archives (OSX Mail .emlx files). Maybe the "Scan Compressed Archives" setting was off in the NAV preferences but really not sure. I would guess though that the the fact I hadn't looked or touched them in years combined with the QuickScan file is why they hadn't been picked up in recent years.
2. Do I think I still have a virus - not in the mail area as I have caused a scan on these by duplicating the mail directory, doing a scan, deleting the old mail folder and renaming the new one. However what I am not sure of is if other folders exist on the drive that are similarly not being scanned and have viruses. I need to find a way to force the QS file to go permanently away and force a full drive scan - at 250Gb on this drive duplicating,scanning and renaming all the folders is not such a viable option :-).
The QuickScan file is re-created as needed, so AutoProtect will re-created it pretty quickly after you delete it since AutoProtect is always scanning things in the background. However, another thing that will reset the QuickScan file is a new definitions set. If LiveUpdate downloads new virus definitions the QuickScan file is not consulted, because we might be able to detect viruses we couldn't before so we force a full rescan of everything when new definitions are installed.
With this in mind, I'd suggest the following. First, use the navx command from the command line with the -a option. This will show you every file the virus scanner encounters. If it doesn't look like a long enough list, then for some reason our file & directory iteration is not finding all the files, which is obviously a problem. To do this, open up Terminal, and type "sudo navx -a " and then the path to the directory you want to scan (you can drag the folder into the Terminal window if you like).
If that seems to work OK, then try waiting until this evening to re-scan. We post virus definitions every Thursday, and once you get new definitions the QuickScan file should not be consulted anymore. You can check the Norton AntiVirus application to find out if new definitions have been downloaded yet. Once you see the new definitions are in place, try the same navx command again. The scan should take noticeably longer. If that's not the case, something else is very wrong.
Can't do the command line way as I am using NAV 10 not 11. Did go into prefs and turn on the list all files option when scanning - doing a scan then shows 8400 files examined but only lists 20 or so files scanned and it all finishes in about 3 secs. Downloaded new defs, same problem.
This is starting to look like something is causing scan not to examine certain files and folders and it doesn't look related to the QS file.
I am not as familiar with Norton AV 10, but I believe this is still a QuickScan issue. If it lists 8400 files, it must have traversed the entire directory tree, otherwise it wouldn't know how many files there are. The 20 files scanned are the 20 files that changed since the last scan, according to the QuickScan file.
I'll ask somebody more familar with Norton AntiVirus to look into this, but it sounds like the QuickScan file is still preventing the entire scan. However, it might be there was an issue that has since been fixed in Norton AntiVirus 11, since this doesn't sound like any known issue with the current product. I'll ask around if somebody knows more about the previous product.
Just to recap (as there have been a few posts here)
If I make a copy of the mail folder it behavesappropriately in scanning the duplicated folder but then drops into the"no scan" behaviour after that. This happens regardless of deleting the QS file, command line or NAV application and downloading newdefs files (BTW the command line bit is pretty limited as NAV 10 doesn't reallysupport command line but I reversed engineered the cron commands that schedulercreates for NAV 10). The orginal mail folder never seems to be scanned properlyregardless of what I try to do. In all cases scan seems to know how many filesin the folder (and it takes a few secs to determine that) but then the scancompletes almost immediately ie with 5secs including working out the directorytree.
Just tried one other thing. If I rename the mail folder to some new name than scan executes properly. If I rename it back then the "no scan" behaviour returns. In general therefore it does look like some sort of QS problem whereby NAV is deciding it doesn't need to scan the files even though things like deleting the QS file or downloading new defs should force that to happen.
Whilst I don't think the mail folder has any virusesleft in it, I want to work this out as I am concerned other areas of my 250Gbof files/folders is also not being scanned properly and virus free.
How the viruses didn't get identified in the firstplace I am confused by but probably not something we can work out now.
If renaming the folder works (because that causes the folder to be scanned by AutoProtect) then it sounds like QuickScan file is not the problem--or if it is, the QuickScan file was reset after a signatures update.
Unfortunately reproducing this problem in-house will be difficult--we haven't worked on Norton AV 10 for a while now, and we can't reproduce this issue on Norton AV 11.
I don't know how to get more debugging information without you sending us the entire folder, which is not really practical for a variety of reasons. I'll talk to somebody and see if they can suggest anything. We have a couple of tools in-house which you might be able to use to print out the QuickScan file.