Ask Leo!

Technology With Confidence

  • About
    • About Ask Leo!
    • Ask Leo! Patreon FAQ
    • Ask Leo! Membership FAQ
    • Free Newsletter
    • Support Ask Leo!
  • Best Articles
    • Most Important
    • Most Popular
    • Most Recent
    • All Entries (by date)
  • Ask Leo!
    • Ask
    • Best Of
    • Glossary
    • Facebook
    • Podcast
    • Contact
  • Store
    • Become a Patron!
    • Books & More
    • Shopping Cart
  • My Account
    • Login to askleo.com

Technology With Confidence

Why would scanning a disk be quick, but just a file on it be slow?

If that large file is a backup image, then maybe your anti-malware tool knows what I know... that there's no point in scanning it.

//

Leo, I’ve got a portable hard drive that contains various PC disk image files. All of which take up about 500 GB in total. When I right-click on the root directory to scan the portable drive with my Norton Internet Security software, the scan is completed in about 5 seconds. However, when I scan just one of the disk image files contained therein, it would take over 30 minutes which is roughly the time it takes to directly perform a full scan on the PC. The same behavior is exhibited when I scan with Malwarebytes. Why is it that scanning the entire 500 GB portable hard drive at one time is so incredibly faster than scanning just one of the files in that portable hard drive?

Your question brings up some very important distinctions about the different types of scans possible, and the different ways anti-malware tools perform them.

Become a Patron of Ask Leo! and go ad-free!

Scanning image files

First off, to be honest, scanning a disk image file is actually pretty useless. The format of many disk image files actually means that their contents need to be “decoded”, in a way, before they can actually be used. So if there’s malware within the file, your anti-malware tools are unlikely to find it since they won’t know the proper way to decode the image file’s contents.

I don’t know what kind of disk image file you have, but the fact that there are so many different ones should help explain why anti-malware tools simply can’t be expected to understand them all. Fundamentally, they just don’t know how to look inside.

And that’s where we start.

When you tell your anti-malware tool to scan a disk, many tools will simply skip files that they don’t know how to read or files that they know to be useless for carrying malware. My guess is simply that your anti-malware tool, when scanning the disk, simply skipped over any disk image files that it found because it knew that scanning them is a pointless waste of time.

Scanning specific files

Open Hard DiskWhen you specifically told it to scan this file, well, it did what you told it to do even though it was still a pointless waste of time.

If you really want to scan the contents of a disk image file for malware, the thing to do is to make its contents accessible, if you have the ability to do so. That would normally mean mounting the image as a virtual drive, so that you can see its contents as if it were another disk drive on your machine.

Chances are that, then, your anti-malware tool will happily scan because it’s not a waste of time at all. It can now see the various files and such within the image that could potentially carry malware.

If you don’t have the ability to mount an image like I described, the only real way to look inside is to restore it to a disk of some sort. The bottom line is that the contents of the disk image need to be visible, as a disk of some sort, in order to be properly scanned.

Scan first, then image

Of course the true bottom line is that you should probably scan whatever it is you’re putting into a disk image before you put it into a disk image. I realize though, that’s not always possible.

I do have to throw out one big fat caveat here, and that is that different anti-malware tools will definitely behave differently in all of these regards. Some will skip files that they don’t understand in the interest of saving time. Some will skip files that they know are safe or are useless for carrying malware. Some will only skip when performing a quick scan and scan everything if they do a full scan – and some of course, will scan everything all the time.

And of course, when I talk about the files they so called “know about” or the files that they “don’t understand”, the list of files they know about and the things they understand will also vary from one tool to another.

But ultimately I believe that’s exactly what’s happening here. Norton is in fact electing not to scan disk image files because there’s really no point.

Related Posts

  • Can I delete what my anti-malware program puts in quarantine? - Quarantine gives you the option to "rescue" files you might want. Of course there is one way to make sure you always have an extra copy of everything...
  • Should my anti-virus scans include my external drives? - Malware can certainly insert itself on external drives. The question is how high is the risk?
  • Malwarebytes Anti-malware – Removes malware that others don't - Even the best anti-virus and anti-spyware tools miss things. Malwarebytes Anti-malware has a good reputation for cleaning up some of the things that other tools don't.
  • How Should I Back Up an Encrypted Hard Disk? - Backing up an encrypted hard drive shouldn't be difficult, but it's important to understand what you'll get.
Posted: March 30, 2014 in: Security Software
Shortlink: https://askleo.com/13764
TAGS: answercast 150, antimalware, backup image
« Previous post: Is the internet directly responsible for our economic problems?
Next post: Why do you prefer Macrium Reflect over Windows 7’s backup program? »

About Leo

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Comments

  1. Yeppers

    March 30, 2014 at 6:59 pm

    Leo, when you talk about files that anti-malware software don’t know how to examine because the software can’t decode the contents — and so therefore the software don’t bother to scan those files for malware — that almost sounds like a situation the bad guys can take advantage of to infect your PC. I say “almost” because if that were true, surely the bad guys would have exploited it by now. I wonder what other types of files my anti-malware software cannot look inside of to examine. I suddenly don’t feel so well protected after all.

    Reply
    • Connie Delaney

      March 30, 2014 at 8:09 pm

      You can think of a backup file like a giant “zip” file. It’s basically copies of the files on your computer all compressed together. It’s actually a file that you created, and because of all that is relatively benign. So it makes sense that an anti-malware program would understand that and skip it.

      Reply

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.

Cancel reply

Your email address will not be published. Required fields are marked *

Creative Commons License
This work by Ask Leo! is licensed under a
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Additional information is available at
https://askleo.com/creative-commons-license/.

  • Terms
  • Ads vs. Recommendations
  • Reviews & Affiliate Disclosure