F-Prot Antivirus

I have massive problems with Online Virus Scanners and File locking. Imagine following:

  • A file is opened for R/W.
  • The virus scanner scans the file in backgound
  • The virus scanner allows access to the data but continues to scan the file in the background
  • The application stops accessing while the scanner still scans the file
  • The application tries to re-open the file while the scanner still scans the file.
  • The application cannot open the file as the virus scanner still scans the file.
  • However the virus scanner starts to scan the file a second time because the application tried to access the file.
  • The application retries to open the file, however this is faster than the virus scanner finishes.
This still is no problem, however it becomes a problem as soon as more than one application starts to do this on the same file concurrenlty. This is because the virus scanner must re-scan the file as soon as there might be a change to the file by another application.

So the Online-Virus-Scanner never stops to scan the file, and the application cannot get a lock to the file ever after. Deadlock.

The problem is the way Online Virus Scanners work. They must protect an application, so they must scan the file before the application can get access. However this must be done a way that concurrent access still is possible. This, however, is a little contradiction to reliablility. Example:

  • Virus splits itself into 20 processes.
  • Each process only writes a bit of the virus to a file.
  • The file then is loaded into memory from the written file.
The idea now is, that the changes which render the file are done while it is read into memory. So you cannot detect the problem by monitoring the writes, and you cannot detect the problem by scanning the file before it is really accessed. So you must scan the file on each access. And exactly that triggers above problem.

Suspicious or false positive submission

www.f-prot.com/virusinfo/submission_form.html

The paths where the suspicious files are stored (Quarantined) from F-Prot are:

Windows Vista (I have a German version, I think under Vista it is the same for different languages):
C:\ProgramData\FRISK Software\F-PROT Antivirus for Windows\fq\

English Windows XP:
C:\Documents and settings\All Users\Application Data\Frisk Software\F-PROT antivirus for windows\FQ

German Windows XP:
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FRISK Software\F-PROT Antivirus for Windows\fq

-Tino, 2008-01-13