Leo, I’ve got a portable hard drive that contains various PC disk image files. All of which take up about 500 GB in total. When I right-click on the root directory to scan the portable drive with my Norton Internet Security software, the scan is completed in about 5 seconds. However, when I scan just one of the disk image files contained therein, it would take over 30 minutes which is roughly the time it takes to directly perform a full scan on the PC. The same behavior is exhibited when I scan with Malwarebytes. Why is it that scanning the entire 500 GB portable hard drive at one time is so incredibly faster than scanning just one of the files in that portable hard drive?
Your question brings up some very important distinctions about the different types of scans possible, and the different ways anti-malware tools perform them.
Become a Patron of Ask Leo! and go ad-free!
Scanning image files
First off, to be honest, scanning a disk image file is actually pretty useless. The format of many disk image files actually means that their contents need to be “decoded”, in a way, before they can actually be used. So if there’s malware within the file, your anti-malware tools are unlikely to find it since they won’t know the proper way to decode the image file’s contents.
I don’t know what kind of disk image file you have, but the fact that there are so many different ones should help explain why anti-malware tools simply can’t be expected to understand them all. Fundamentally, they just don’t know how to look inside.
And that’s where we start.
When you tell your anti-malware tool to scan a disk, many tools will simply skip files that they don’t know how to read or files that they know to be useless for carrying malware. My guess is simply that your anti-malware tool, when scanning the disk, simply skipped over any disk image files that it found because it knew that scanning them is a pointless waste of time.
Scanning specific files
When you specifically told it to scan this file, well, it did what you told it to do even though it was still a pointless waste of time.
If you really want to scan the contents of a disk image file for malware, the thing to do is to make its contents accessible, if you have the ability to do so. That would normally mean mounting the image as a virtual drive, so that you can see its contents as if it were another disk drive on your machine.
Chances are that, then, your anti-malware tool will happily scan because it’s not a waste of time at all. It can now see the various files and such within the image that could potentially carry malware.
If you don’t have the ability to mount an image like I described, the only real way to look inside is to restore it to a disk of some sort. The bottom line is that the contents of the disk image need to be visible, as a disk of some sort, in order to be properly scanned.
Scan first, then image
Of course the true bottom line is that you should probably scan whatever it is you’re putting into a disk image before you put it into a disk image. I realize though, that’s not always possible.
I do have to throw out one big fat caveat here, and that is that different anti-malware tools will definitely behave differently in all of these regards. Some will skip files that they don’t understand in the interest of saving time. Some will skip files that they know are safe or are useless for carrying malware. Some will only skip when performing a quick scan and scan everything if they do a full scan – and some of course, will scan everything all the time.
And of course, when I talk about the files they so called “know about” or the files that they “don’t understand”, the list of files they know about and the things they understand will also vary from one tool to another.
But ultimately I believe that’s exactly what’s happening here. Norton is in fact electing not to scan disk image files because there’s really no point.
2 comments on “Why would scanning a disk be quick, but just a file on it be slow?”
Leo, when you talk about files that anti-malware software don’t know how to examine because the software can’t decode the contents — and so therefore the software don’t bother to scan those files for malware — that almost sounds like a situation the bad guys can take advantage of to infect your PC. I say “almost” because if that were true, surely the bad guys would have exploited it by now. I wonder what other types of files my anti-malware software cannot look inside of to examine. I suddenly don’t feel so well protected after all.
You can think of a backup file like a giant “zip” file. It’s basically copies of the files on your computer all compressed together. It’s actually a file that you created, and because of all that is relatively benign. So it makes sense that an anti-malware program would understand that and skip it.