Knowledge Base

The difference between a 'deep' scan and a 'full' scan

  • 29 June 2012
  • 0 replies
  • 12587 views
The difference between a 'deep' scan and a 'full' scan
Userlevel 7
  • Webroot Employee
  • 2146 replies

Question

What's the technical difference between a deep scan and a full scan?
 

Answer

Deep scan:

This is the normal, default scan mode. 
 
Webroot SecureAnywhere (WSA) inspects system configuration information (registry and file locations, running processes, loaded modules, etc) to determine what is loaded into memory, and what definitely will or is likely to load into memory during normal computer use.  These files are then initially scanned by generating an MD5 hash of the full file and submitting it to the cloud system. 
 
If the item is known as Good, this data is cached and no further action is taken. 
 
If the file is known as Bad, it is inspected more deeply, interdicted if currently in memory, and the cleanup engine is brought into play to start keeping track as the scan continues.
 
If the file is reported as Unknown, it has further information gathered about it and submitted to the cloud.  The file may also be pseudo-executed in protected memory space for deeper examination.  The extra information generated from these actions may result in a Good or Bad determination from the cloud based on cloud heuristics or a heuristic determination from WSA itself - in which case one of the above Good or Bad results occur.
 
A deep scan specifically targets only things that are running, and that definitely or probably will run.  The remainder of the system is considered inert, since the contents are not active or poised to be active.  This remainder is evaluated if and when it becomes active or primes to become active, via on-access scans, process interdiction, etc.  This portion of the protection is handled by realtime shields.
 
If a threat was "missed" because it was not part of the targeted area, it isn't going to run anyway, and it does nothing when just sitting as bits on media.  In the event the threat is read or attempts to execute machine code, it's scanned at that time and caught at that time.
 

Custom/Full scan:

This is a full inventory of all of your files against the database. 
 
Any given file is hashed into an MD5 in full.  Archives are extracted, and their contents are hashed as well.  The MD5 hashes are submitted to the cloud database and returned as "Good", "Bad", or "Unknown."  Unlike a Deep scan, Unknown cases are not inspected more deeply.  In fact, in most cases, the information on the status of files outside the Deep area expires from the local cache before the files are ever examined again in normal computer use.  If infections are detected outside the Deep zone on a custom or full scan, cleanup is performed on a basic level (Deletion/Quarantine) rather than based on journalling and activity evaluation.  However the secondary scan will also run a custom or full scan, and take deep-scan extra evaluation action on unknowns if this is decided to be warranted by WSA or the cloud.
 
A custom or full scan is only recommended for scanning resources that are accessed via routes that bypass the computer WSA is installed on and accessed by systems that may not have WSA installed on them - for example, network shares on a server with no WSA agent that may be accessed by machines with no WSA agent.  Or it could be used, for instance, for scanning a USB drive that will be moved to another computer with no WSA agent on it.
 

Which is best for normal computer use? 

For normal computer use, the deep scan is tremendously faster, substantially more efficient, and much more effective at protecting a computer.

This topic has been closed for comments

Cookie policy

We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

Accept cookies Cookie settings