Scanning and Resident Shield
AVG Cache Server Service (avgchsvx.exe/avgchsva.exe)
To improve scanning speed in AVG, caching of trusted files was implemented.
This service (AVG Cache Server) is indexing files that qualify as trusted based on several criterias (e.g. digital signature from trusted source). Files which are indexed do not require additional scanning, unless they are changed.
Indexing is done through the "avgchsvx.exe" (for 32-bit Windows) or "avgchsva.exe" (for 64-bit Windows). It runs after computer startup for short amount of time as only changes in the indexed files are searched.
Although the disk is active during that time (the control light indicating disk activity on computer is blinking), the impact on system is minimal.
To alter the settings of AVG Cache server:
- Open AVG user interface.
- On the Tools menu select Advanced Settings.
- On the left side, select Cache Server.
- Change the settigns on the right, and then click OK.
Please note, that we do not recommend to change these settings.
Resident Shield - what is it?
The Resident Shield component gives your computer
continuous protection. It scans every single file that is being opened,
saved, or copied, and guards the system areas of the computer. Normally,
you do not even notice the process, as it runs "in the background", and
you only get notified when threats are found; at the same time, the
Resident Shield blocks activation of the threat and removes it.
The
Resident Shield is loaded in the memory of your computer during
startup, and it is vital that you keep it switched on at all times.
What the Resident Shield can do:
- Scan for specific kinds of possible threats
- Scan removable media (flash disk etc.)
- Scan files with specific extensions or without extensions at all
- Allow exceptions from scanning – specific files or folders that should never be scanned
For more information regarding AVG Resident Shield please refer to documentation available here.
Setting programs such as GetRight or WinRAR to scan the files they use
You can use the AVG scanner with 3rd party program scanning options. There is a difference based on your system architecture. If you use a 32 bit system (x86) you need to use avgscanx.exe file for the scanning. For 64 bit systems (x64) you should use the avgscana.exe file.
Usually it is necessary to use the /scan parameter with the path of the file location. We also recommend using other parameters, e.g.:
- /HEUR - Use heuristic analysis
- /ARC - Scan archives
- /CLEAN - Clean automatically
You can access the complete list of parameters by starting the avgscan?.exe with the /HELP parameter or in FAQ 3604.
These are examples of the AVG scanner configuration in some popular applications:
- GetRight
Tools -> GetRight Configuration -> Advanced -> When Done
Virus Scanner program to use:
"C:\Program Files\AVG\AVG10\avgscanx.exe" /heur /clean /arc /scan="%FILE%"<br>(on 64 bit system, use folder Program FIles(x86) and avgscana.exe instead)</li><li><span style="FONT-WEIGHT: bold">WinRAR
Tools -> Scan archive for viruses
Virus scanner name:
C:\Program Files\AVG\AVG10\avgscanx.exe
(on 64 bit system, use folder Program FIles(x86) and avgscana.exe instead)
Virus scanner parameters:
/scan=%f /ext=* /arc /clean - Miranda IM
Options -> Events -> File Transfer
Command line:
"C:\Program Files\AVG\AVG10\avgscanx.exe" /scan=%f /ext=* /arc /clean
(on 64 bit system, use folder Program FIles(x86) and avgscana.exe instead) - Windows Live Messenger
Due to the Windows Live Messenger feature, the above mentioned parameters cannot be used. However your computer is still protected by residential parts of AVG.
Note:
If you installed AVG to a folder other than the default
one, it is necessary to change the path to the file avgscan?.exe. Please
bear in mind that the specific parameters depend on the given
application. In this case you should ask the provider of the software
for the necessary information.
Excluding folder or file from AVG 2011 scanning
To exclude a folder/file from Resident Shield scanning, please proceed as follows:
- Open the AVG program.
- Double-click the Resident Shield component.
- Click the Manage exceptions button.
- In the newly opened dialog, please click either the Add Path or the Add File button to add the needed exception.
- Click OK to confirm the changes.
If you need to exclude a certain Potentially unwanted program from any detection (for example if you are using an Ad-sponsored program or utility, which could be dangerous, but could also be used with your knowledge), proceed as follows:
- Open the AVG program.
- On the Tools menu select Advanced Settings.
- Navigate to the PUP exceptions branch.
- Click Add exception to choose the file to be excluded.
- Find the file you want to exclude from AVG detection. If you are not sure if the file location is static, click Any location - do not use full path.
- Add the file, then click OK.
List of AVG commandline scan parameters
AVG scan executable file is located in the installation folder under name avgscana.exe or avgscanx.exe (Default installation folder is C:\Program Files\AVG\AVG10). The avgscan?.exe needs to be started with parameters to specify setting for the scan. You can get list of all parameters by starting it with the /Help parameter or see the following list:
- /SCAN - starts scan. You need to specify path to be scanned. e.g. /SCAN=path;path/
- /COMP - starts scan of the whole computer
- /HEUR - toggles use of heuristic analysis
- /EXCLUDE - will exclude path or files from scan e.g. /EXLUDE=path;path/
- /@ - specifies path to text file that contains parameters for scan
- /EXT - specifies extensions to be scanned e.g /EXT=EXE,DLL/
- /NOEXT - exludes extensions from scan e.g. /NOEXT=JPG/
- /ARC - toggles archives scanning
- /CLEAN - toggles automatic healing
- /TRASH - move infected files to the Virus Vault
- /QT - starts only Quick test
- /LOG - generates a scan result file
- /MACROW - toggles macros reportiong
- /PWDW - toggles password-protected files reporting
- /ARCBOMBSW - toggles archive bombs (repeatedly compressed archives) reporting
- /IGNLOCKED - Ignores locked files
- /REPORT - saves report to a file specified file
- /REPAPPEND - append to the report file
- /REPOK - report uninfected files as OK
- /NOBREAK - do not allow CTRL-BREAK to abort
- /BOOT - enables MBR/BOOT check
- /PROC - toggles active processes scanning
- /PUP - toggles "Potentially unwanted programs" reporting
- /REG - toggles registry scan
- /COO - toggles Tracking Cookies scan
- /? - displays help on this topic
- /HELP - displays help on this topic
- /PRIORITY - sets scan priority - Low, Auto or High
- /SHUTDOWN - shutdowns computer upon scan completion
- /FORCESHUTDOWN - forces computer shutdown upon scan completion
- /ADS - toggles scan of Alternate Data Streams (NTFS only)
- /HIDDEN - reports files with hidden extension
- /INFECTABLEONLY - scans files with infectable extensions only
- /THOROUGHSCAN - enables thorough scanning
- /CLOUDCHECK - checks for false positives
Remove threat as power user
When AVG detects a virus in a file, it attempts to remove such file
with the access rights of the user who executed the test, or tried to
access the file. In case this is not possible due to limited permissions
(e.g. you can open the file but can not modify it or delete it), AVG
can attempt to remove the file under different user account with higher
permissions.
When you select the option "Remove threat as power user", you are asked to enter Windows user name and password for a different user account. In typical situation, administrator user name and password can be used, however this depends on the user accounts you have available on your computer.
To check under which user account are you logged into Windows and which other accounts are available, you can refer to the FAQ 2521.
Starting and planning complete scan of the whole computer
To start the computer scan, follow these steps:
- Please open the AVG program.
- Click Scan Now on the left hand side.
- Whole computer scan will start.
If you want AVG scan to run automatically according to some schedule please proceed as follows:
- Open the AVG program.
- Click Scan options on the left hand side.
- Click Manage Scheduled Scans.
- Select the Scheduled scan option, and then click Edit scan schedule.
- In the settings, make sure the Enable this task check box is selected.
- Change the schedule according to your needs
- Click OK to save settings.
Removable device scan
Settings of the item Removable device scan are available in the Advanced settings of AVG, under the Scans item.
When you choose the Removable device scan item the dialog allows you to specify parameters for scan of removable devices. It is needed to check the "Enable removable device scan" checkbox to activate this feature. If you do this, upon every connection of any removable device to your computer (for example USB flash drive) this device will be automatically scanned for viruses and/or spyware. If you disconnect the removable device during the scan, the scan will be interrupted (and will start again after next connection of the removable device).
Options when scheduling scan or program update
When scheduling scans or program update the following additional options are available:
- Open the AVG program.
- On the Tools menu select Advanced Settings.
- Navigate to the Schedules branch.
Run at specific time interval
The following options are available:
- Every day
Scheduled task will run every day at a specified time. - Selected days
In this case it is possible to check/uncheck one or more days in the week. Then the scheduled task will run on checked days at a specified time. - Every selected day in month
If this is set, then it is possible to select on which exact day of month will the schedule run. Same as the previous options, the scheduled task will run on the selected day at a specified time.
Run on computer startup if task has been missed
If
you schedule the scan to run at a specific time, you can check this
option to ensure that the scan will be performed subsequently in case
the computer is turned off at the scheduled time.
Run even if computer is in low power mode
Check this option to specify that the scan should be performed even if the computer is running on battery at the scheduled time.
Tracking cookies scan is disabled in default settings
Tracking cookies are not detected in default settings of AVG. Tracking cookies are not dangerous files and, they are created automatically when accessing webpages. For more information about tracking cookies, please see FAQ 2334.
You can however turn the detection on. To do so, please follow these steps:
1. Resident Shield settings
- open the AVG program
- double-click the AVG Resident Shield component
- mark the "Scan for Tracking Cookies" option
- press the "Save changes" button
2. AVG test settings
- launch the AVG program
- open the "Scan options"
- choose "Change scan settings" under "Whole computer scan" item
- in the newly opened window please mark the "Scan for Tracking Cookies" option
3. Scheduled test settings
- open the AVG program
- choose "Advance settings" from Tools menu
- extend "Schedules" item and select "Scheduled scan"
- switch to "How to scan" tab
- please mark "Scan for Tracking Cookies" option
Adware detection in AVG
AVG is able to detect applications from the Adware category as special part of Potentially Unwanted Applications detection.
Adware software can display and/or download advertisement and may be considered privacy-invasive. Adware applications are however not harmfull and their detection is disabled by default in AVG.
To enable resident Adware detection follow these steps:
- Open the AVG program (Start -> Programs -> AVG 2011 -> AVG user interface).
- From the Tools menu, select Advanced Settings.
- In the left tree, click on Resident Shield branch.
- On the right side of window, check the Report enhanced set of Potentially Unwanted Programs option
- Click OK to save changes.
To enable Adware detection through a scheduled scan follow these steps:
- Open the AVG program (Start -> Programs -> AVG 2011 -> AVG user interface).
- From the Tools menu, select Advanced Settings.
- In the left tree, open the Schedules branch.
- There is a list of planned actions, click on Sheduled scan (or any other scan schedule you created).
- On the right side of window, switch to the How to scan tab.
- Check the Report enhanced set of Potentially Unwanted Programs option.
- Click OK to save changes.
Please note that some adware may be associated with different application. Deleting them might cause issues with that application or be against license agreement of that application.
Information in a test result
AVG scan is able to detect files which may not be infected, but are suspicious. These files are reported either as Warning (described in FAQ 2344), or as Information. The severity Information can be reported for one of the following reasons:
- Run-time packed
The file was packed with one of less common run-time packers, which may indicate an attempt to prevent scanning of such file. However, not every report of such file indicates a virus. - Run-time packed recursive
Similar to above, however less frequent amongst common software. Such files are suspicious and their removal or submission for analysis should be considered. - Password protected archive or document
Password protected files can not be scanned by AVG (or generally any other Anti-Malware program). For more information, see FAQ 2333. - Document with macros
The reported document contains macros, which may be malicious. - Hidden extension
Files with hidden extension may appear to be e.g. pictures, but in fact they are executable files (e.g. picture.jpg.exe). The second extension is not visible in Windows by default, and AVG reports such files to prevent their accidental opening. - Improper file path
If some important system file is running from other than default path (e.g. winlogon.exe running from other than Windows folder), AVG reports this discrepancy. In some cases, viruses use names of standard system processes to make their presence less apparent in the system. - Locked file
The reported file is locked, thus cannot be scanned by AVG. This usually means that some file is constantly being used by the system (e.g. swap file). - The file is signed with a broken digital signature
The reported file was signed with a digital certificate ensuring its integrity. However due to changes to it, the certificate no longer corresponds with the content. This might happen when file is infected but also when it was incorrectly updated, broken due to some error or when the digital signature expired.
If you wish, you can adjust the AVG test settings in such way, that only the information you are interested in are reported:
- Open AVG User Interface.
- Click on Scan options.
- Click Change scan settings of the selected test.
- Select the Set additional scan reports... and adjust the reporting.
- Alternatively, you can change these settings in menu Tools -> Advanced settings.
Running AVG in Safe Mode
It is possible to run AVG scan in a safe mode, however the functionality is limited to command line scan only. To run the scan, you can proceed as follows:
- Restart the computer into Safe Mode, as described at:
Windows XP:
http://support.microsoft.com/kb/315222
Windows Vista and Windows 7:
http://windowshelp.microsoft.com/Windows/en-US/Help/f9c50a72-04ec-4088-9fd4-a4f979eef5a71033.mspx - In the Safe Mode, you can run AVG by double-clicking its icon on the desktop.
- The Command Line Composer will be displayed and you can change the scan settings according to your individual needs.
- All detected infections will be healed or moved to AVG Virus Vault automatically.
Exclusions for AVG needed for proper Hyper-V virtual machines functionality
When using the Hyper-V virtual machines on Windows Server 2008-based computers, it is necessary to exclude some folders from AVG scanning. This will make sure that the virtual machines run properly. Following erorrs may be reported otherwise:
- The requested operation cannot be performed on a file with a user-mapped section open. (0x800704C8)
- VMName’ Microsoft Synthetic Ethernet Port (Instance ID{7E0DA81A-A7B4-4DFD-869F-37002C36D816}): Failed to Power On with Error 'The specified network resource or device is no longer available.' (0x80070037).
- The I/O operation has been aborted because of either a thread exit or an application request. (0x800703E3)
To prevent these errors, set AVG this way:
- Open the AVG program.
- Select the Advanced Settings option from the Tools menu.
- Navigate to the Resident Shield branch -> Excludes Items.
-
Use the Add Path button to choose the directory to be excluded. Add these directories:
- Default virtual machine configuration directory (C:\ProgramData\Microsoft\Windows\Hyper-V)
- Custom virtual machine configuration directories
- Default virtual hard disk drive directory (C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks)
- Custom virtual hard disk drive directories
- Snapshot directories
- C:\Clusterstorage (if Live Migration is used together with Cluster Shared Volumes)
-
Click the Edit List button to add following exclusions:
- \\localhost\C$\Windows\System32\Vmms.exe
- \\localhost\C$\Windows\System32\Vmwp.exe
- C:\Windows\System32\Vmms.exe
- C:\Windows\System32\Vmwp.exe
- Confirm the changes using the OK button.
For more information, see following Microsoft Knowledge Base topic:
http://support.microsoft.com/kb/961804/
How to shedule AVG scan of network devices?
Scheduled AVG scans are normally started under the SYSTEM account. This means, that sheduled AVG scan cannot scan network drives (shared folders) as the SYSTEM account does not have permission to access them.
Note: Manually started AVG scan has access to all places the user who started it has.
If you want to run a scheduled AVG scan that will be able to scan also shared folders, you can use the Windows Scheduler to start it. To do that, please follow these steps:
- Windows 2000/XP
- Open Control Panel (you can click Start -> Settings -> Control Panel).
- Double click on the Scheduled tasks option (depending on the selected view, you may first need to select the Performance and Maintenance option).
- Double clik on the Add scheduled task option.
- Follow the opened wizard. When selecting application to run, click the Browse
button and find avgscanx.exe or avgscana.exe in the following folder
(only one of the file will be present; this is the default folder for
installation):
c:\Program Files\AVG\AVG9\ - In the wizard, select when and how often the task (AVG scan) should run.
- Specify your username and password. This will make sure, that the scan runs with your priviledges and will be able to scan shared folders.
- In the last dialog of wizard check the Open advanced properties of this task when I click finish and then click the Finish button.
- Advanced properties of the task will be opened (if not, open them by double clicking the new task in the list of tasks).
- on the Task tab, edit the Run field:
- Add parameters to specify settings for the scan. Parameters should be added at the end of the line.
e.g. C:\program files\avg\avg9\avgscan.exe /scan=C:;D
(this will set avg to scan drives C and D) - You can get full list of parameters by running the avgscana.exe/avgscanx.exe with parameter /help in commandline or you can see the list of commands in FAQ 2707.
- Add parameters to specify settings for the scan. Parameters should be added at the end of the line.
- Confirm all the settings.
- Windows Vista/7
- Open Control Panel (you can click Start -> Settings -> Control Panel).
- Open the Administrative tools option (depending on the selected view, you may first need to select the System and Maintanence option).
- Select the Task scheduler option.
- In the opened window right click on the Task scheduler (local) option in the tree on the left side.
- Select the Create Basic Task option.
- In the wizard fill in some name for this plan and click Next.
- Select how often should the task start and then click Next.
- Select Start a program as an action for the task.
- Click the Browse
button and find avgscanx.exe or avgscana.exe in the following folder
(only one of the file will be present; this is the default folder for
installation):
c:\Program Files\AVG\AVG9\ - In the Add arguments field type parameter for the scan
- e.g. /scan=C:;D
(this will set avg to scan drives C and D) - You can get full list of parameters by running the avgscana.exe/avgscanx.exe with parameter /help in commandline or you can see the list of commands in FAQ 2707.
- e.g. /scan=C:;D
- Click Next and in the last dialog check the Open the Properties dialog for this task when I click finish option. Then Click Finish.
- Advanced properties of the task will be opened (if not, open them by double clicking the new task in the list of tasks under Task Scheduler Library).
- On the General tab, check the Run whether user is logged on or not option.
- Click OK and when asked, fill in your password and confirm it.
How to exclude folder from AVG test
To exclude some folder from one AVG test or from a test schedule, please proceed as follows:
- To edit excludes in one test:
- Open the AVG program by double-click on AVG icon on your desktop or in the tray notification area.
- Click on Scan options -> Scan specific files or folders.
- To edit excludes in test schedule:
- Open the AVG program by double-click on AVG icon on your desktop or in the tray notification area.
- Click on Scan options-> select Manage Scheduled scan -> button Edit scan schedule.
- Switch to tab What to scan -> select Scan specific files or folders.
- Tick all drives you wish to be scanned.
- To exclude e.g. folder "C:\Program Files", please expand drive C:\ (using the + button, or by double-click on its icon) and un-tick the folder "Program Files".
- Alternatively, you can leave all drives and folders selected and add into the text box above the selection tree:
- ![path];
e.g. !C:\Program Files; will disable scanning of the Program Files folder.
- ![path];
- In
case you wish to disable recursion in some folders (so that the
contents of that folder are scanned, but not subfolders), please type
the following:
- -[path];
e.g. -C:\Windows\System32; will scan all files in the System32 folder, but not its subfolders. All other folders in C:\Windows will be scanned completely.
- -[path];
Setting scan process priority
The priority of the scan process defines how fast will the scan run, and how much system resources will it use. In other words, you can set the scan to run as fast as possible while slowing down your computer noticeably, or you can choose that you wish the test to run using as little system resources as possible, while prolonging its run time.
There are four options for the test priority in AVG:
- Fast scan = shortest scan time, highest usage of system resources
The Fast scan does not leave any time gaps between reading files on the computer, and the scanning runs in multiple threads to utilize even multi-core processors. The Fast scan is recommended when the computer is not used or no other demanding application is running at the same time. - Slow scan = longest scan time, lowest usage of system resources
The Slow scan leaves time gaps between reading individual files, so that other applications can access the data on the computer with minimal delay. The scanning itself also runs with lower priority, in single thread, and with lower memory demands. - Automatic scan = both scan time and generated system load depend on current computer load
In the Automatic mode, AVG is adjusting the scan priority and gaps between files based on current system load, thus minimizing the impact of the test on the system, while finishing the test in shortest possible time. - User sensitive scan = the lowest resource usage
The scan will take relatively long time but other processes and applications should not be affected in any way.
The scan priority can be set for both running and scheduled test:
- Running test
Please adjust the slider in the window of currently running test (AVG User Interface -> Computer scanner -> running scan). - Scheduled test
Open the AVG program -> Computer scanner, please click on the Manage Scheduled Scans option and double-click the desired scheduled scan. In the scan settings please switch to the tab How to scan. After setting the priority, please click the Save button to store the configuration.
Usage and return codes of avgscan*.exe
The AVG command line scanner avgscan*.exe (available in AVG program folder, where * can be 'x' for 32bit operating systems or 'a' for 64bit operating systems) allows scanning of the whole computer or specified files using a batch file or Scheduled Tasks in Windows. The parameters of the command line scan are available in the AVG documentation or using parameter /? (e.g. avgscanx.exe /?).
Apart from the full test report that is provided once the scan is finished, it is also possible to check the return code of the finished scan. This code can be used to trigger specified actions in case e.g. a virus was found.
The return code of the last finished command line scan is stored in a system variable %ERRORLEVEL% (to check its value for the last AVG scan manually, type "echo %ERRORLEVEL%" in the command line). Possible values and their meanings are:
- 0 (RETURNCODE_OK)
everything is OK - 1 (RETURNCODE_USERSTOP)
user interrupted the scan - 2 (RETURNCODE_ERROR)
error during the scan (e.g. when an incorrect parameter is used) - 3 (RETURNCODE_WARNING)
warning during the scan - 4 (RETURNCODE_PUPDETECTED)
Potentially Unwanted Program detected - 5 (RETURNCODE_VIRUSDETECTED)
virus detected - 6 (RETURNCODE_PWDARCHIVE)
password-protected archive found
Crash caused by old Starforce driver after start of Anti-Rootkit scan
Older StarForce sfdrv01.sys driver (copy protection application) can cause crash when AVG starts the Anti-Rootkit scan. This will display the so called BSOD (blue fullscreen error message). You will then need to force restart the PC. Please note that this issue is not caused by AVG.
It can be fixed by updating the StarForce protection driver. To do that, please follow the steps on the following web page (belonging to vendor of this application):
http://www.star-force.com/support/drivers/
If you are unsure whether StarForce protection is installed, you can check this way:
On Windows 2000, Windows XP:
- Right click on the My computer icon on your Desktop or in Start menu.
- Select the Properties option.
- In opened window switch to the Hardware tab.
- Click on the Device Manager button.
- In the Device Manager, select the Show hidden devices option from the View menu.
- Now check under the Non-plug and play drivers tree for any record with Starforce in the name.
On Windows Vista, Windows 7 and newer:
- Right click on the Computer icon on your Desktop or in Start menu.
- Select the Properties option.
- Click on the Device Manager link in top-left corner.
- In the Device Manager, select the Show hidden devices option from the View menu.
- Now check under the Non-plug and play drivers tree for any record with Starforce in the name.