Virus detection during hard drive defrag?

[Virus Guy]

When using the native drive defragger for a given OS (98, 2K, XP),
does any installed-and-running AV software get to see the files being
shuffled around during the defrag - or does the defrag process happen
at a more primative level that is not hooked into any AV real-time
file monitoring?

Regarding defrag on XP, I notice that after XP's native defrag has
cleaned up a drive and I run Norton's speed disk (NSW 2002) that
Norton has a different take on the state of the supposedly defragged
drive and will perform it's own lengthy defrag if you let it. When it
comes to assessing the frag-state of an NTFS drive, who's right? MS,
or Norton?

 

[Dave English]

When using the native drive defragger for a given OS (98, 2K, XP),
does any installed-and-running AV software get to see the files being
shuffled around during the defrag - or does the defrag process happen
at a more primative level that is not hooked into any AV real-time
file monitoring?

I for one would expect the defrag to be at a level "below the radar".

Regarding defrag on XP, I notice that after XP's native defrag has
cleaned up a drive and I run Norton's speed disk (NSW 2002) that
Norton has a different take on the state of the supposedly defragged
drive and will perform it's own lengthy defrag if you let it. When it
comes to assessing the frag-state of an NTFS drive, who's right? MS,
or Norton?

There will be no one right answer, so both will in some sense be right.

Regards

 

[Colon Terminus]

No, your AV doesn't see the files manipulated by most (all?) defraggers.

Defraggers all have a different view of the "right" way to defrag a volume.
Oherwise how would we distinguish one from the other?

I believe that ANY commercial defragger, even Speed Disk, is superior to the
defragger included in XP. My personal preference, based on subjective
testing, is Perfect Disk by Raxco.

 

[* * Chas]

When using the native drive defragger for a given OS (98, 2K, XP),
does any installed-and-running AV software get to see the files being
shuffled around during the defrag - or does the defrag process happen
at a more primative level that is not hooked into any AV real-time
file monitoring?

Regarding defrag on XP, I notice that after XP's native defrag has
cleaned up a drive and I run Norton's speed disk (NSW 2002) that
Norton has a different take on the state of the supposedly defragged
drive and will perform it's own lengthy defrag if you let it. When it
comes to assessing the frag-state of an NTFS drive, who's right? MS,
or Norton?

I can't answer your first question but I know a little about the second
one. I use Norton Speed Disk on all of my Win98 PCs. It does a much
better, faster job than the MS Defrag program. With Win98 it can be set
to optimize the HDD so that more frequently used files are placed where
they will be accessed faster. It can also optimize the swap file.

A lot of people recommend against using Speed Disk on any NT based OS
and especially NTFS. I can't recall their arguments. Same thing for Disk
Doctor. Try doing a Google search on the topic.

The native MS XP/Win2k Defrag program is a simplified version of
Executive Software's Diskeeper Lite which has an excellent reputation.

Norton may be optimizing your HDD but as I understand NTFS that
operation isn't necessary. That might be why you are getting different
results.

Chas.

 

[Virus Guy]

A lot of people recommend against using Speed Disk on any NT
based OS and especially NTFS. I can't recall their arguments.

I currently have a drive from a Win-NT4 server slaved to a Win-XP
machine. The drive has 3 partitions or logical drives (C/D/E). The
files on the D drive are not accessible to XP's file manager (it was
originally a separate physical drive on the NT4 machine, a SCSI drive
actually, that was "grafted" onto the same physical drive as the C/E
drive). When the drive is in master-mode on the NT4 computer, all 3
partitions operate just fine. Interestingly, while XP's defrag
won't/can't optimize the D drive, Norton's SpeedDisk can.

Norton may be optimizing your HDD but as I understand NTFS that
operation isn't necessary. That might be why you are getting
different results.

After I run Norton's speed disk on the drives mentioned above, and
then run MS's defrag program (analyze function) it always comes back
with 2 or 3 dozen fragmented files. I can never get the MFT below 2
fragments (and sometimes not less than 4 or 5). I can understand that
for primary c: drive, but not necessarily for a slaved drive.

 

[* * Chas]

I currently have a drive from a Win-NT4 server slaved to a Win-XP
machine. The drive has 3 partitions or logical drives (C/D/E). The
files on the D drive are not accessible to XP's file manager (it was
originally a separate physical drive on the NT4 machine, a SCSI drive
actually, that was "grafted" onto the same physical drive as the C/E
drive). When the drive is in master-mode on the NT4 computer, all 3
partitions operate just fine. Interestingly, while XP's defrag
won't/can't optimize the D drive, Norton's SpeedDisk can.


After I run Norton's speed disk on the drives mentioned above, and
then run MS's defrag program (analyze function) it always comes back
with 2 or 3 dozen fragmented files. I can never get the MFT below 2
fragments (and sometimes not less than 4 or 5). I can understand that
for primary c: drive, but not necessarily for a slaved drive.

I've frequently run into a few files that get reported as still being
fragmented with Diskeeper on all versions of Windows that I've used it
on - Win98 and NT4 plus the MS version on Win2k and XP.

It could be that the files are dynamic or inaccessible during
defragging. Anyway, I've tried rerunning Defrag and it will usually
clean up all fragmented files. On the other hand, Speed Disk may not be
defragging all of the files but doesn't report the results as such.

Chas.

 

[Zvi Netiv]

When using the native drive defragger for a given OS (98, 2K, XP),
does any installed-and-running AV software get to see the files being
shuffled around during the defrag - or does the defrag process happen
at a more primative level that is not hooked into any AV real-time
file monitoring?

Properly designed on-access AV (aka real-time, or background AV) inspect every
file accessed of the types that are in the service check list. There are at
least two good reasons for disabling the real-time AV (as well as every service
or applications that write to the drive as part of their routine, like indexing
programs, periodical e-mail download, etc.): First, real-time AV slows down
defragmentation as it suspends the process repeatedly every time a file is
inspected. Second, there is a risk that the defrag process may crash when
interrupted by the AV and create a file system error in result.

It is good practice to disable all background processes that aren't essential to
the defragmentation and disconnect from the web/network until done. Personally,
I would recommend to defrag from safe mode, with the minimum of concurring
processes running in the background.

As to Norton's SpeedDisk, I suspect that Symantec suspend AutoProtect when their
defragger is running, It's common practice among AVers to suspend their
on-access AV when a competing process is running, like their own on-demand
scanner, to not interfere with each other. This might give the wrong impression
whether the background AV is active or not.

Regarding defrag on XP, I notice that after XP's native defrag has
cleaned up a drive and I run Norton's speed disk (NSW 2002) that
Norton has a different take on the state of the supposedly defragged
drive and will perform it's own lengthy defrag if you let it. When it
comes to assessing the frag-state of an NTFS drive, who's right? MS,
or Norton?

They are both right. They simply use different strategies and compacting
topology.

Regards, Zvi

 

[Virus Guy]

Properly designed on-access AV (aka real-time, or background AV)
inspect every file accessed of the types that are in the service
check list.

... real-time AV slows down defragmentation as it suspends the
process repeatedly every time a file is inspected.

I think that others here have said that file handling during the
defrag process is not "visible" to AV software, hence there is no
possibility of performance or error-inducing interference from AV
software during a defrag.

They are both right. They simply use different strategies
and compacting topology.

Using a different strategy to compact or defrag a file system is one
thing.

But why do they not agree as to what constitutes a fragmented file?

If a file is built from a string of perfectly-consecutive sectors (or
clusters, or allocation units) - is it then NOT fragmented? How can
such a simple characteristic or metric not be properly identified or
measured by a defrag utility?

 

[Ant]

I think that others here have said that file handling during the
defrag process is not "visible" to AV software,

I wouldn't bet on that. The defrag API routine to move clusters
requires a file handle which is obtained from a file name. The file
must first be opened by the program, so it's possible for AV software
to spot this even if it can't see the clusters being moved.

hence there is no possibility of performance or error-inducing
interference from AV software during a defrag.

There will always be a performance hit with other processes using the
file system at the same time. However, the defrag API is supposed to
protect against file access errors.

Using a different strategy to compact or defrag a file system is one
thing.

But why do they not agree as to what constitutes a fragmented file?

They do, but also do more than just defragment. Files can be moved
such that, for example, all executable files are grouped together at
the beginning of a partition or disk.

If a file is built from a string of perfectly-consecutive sectors (or
clusters, or allocation units) - is it then NOT fragmented?

Correct, but it may not be optimally placed.

How can such a simple characteristic or metric not be properly
identified or measured by a defrag utility?

The tricky part is deciding how to organize the files for optimal
access.

 

[Zvi Netiv]

I think that others here have said that file handling during the
defrag process is not "visible" to AV software,

Nonsense. If such thing was possible then malware could use the same trick to
conceal itself from on-access AV.

hence there is no
possibility of performance or error-inducing interference from AV
software during a defrag.

In fact, defragmenting utilities are one of the most prone to induce file system
errors.

Using a different strategy to compact or defrag a file system is one
thing.

But why do they not agree as to what constitutes a fragmented file?

There is no ambiguity on what a fragmented file is but there is no agreement
among the producers what to optimize the process for. Which leads to the
different strategies. There might also be a difference between the producers
whether to move particular files such as hidden-system ones, and built-in (hard
and soft coded in the utility) exceptions..

Regards, Zvi

 

[Robert Baer]

Nonsense. If such thing was possible then malware could use the same trick to
conceal itself from on-access AV.




In fact, defragmenting utilities are one of the most prone to induce file system
errors.




There is no ambiguity on what a fragmented file is but there is no agreement
among the producers what to optimize the process for. Which leads to the
different strategies. There might also be a difference between the producers
whether to move particular files such as hidden-system ones, and built-in (hard
and soft coded in the utility) exceptions..

Regards, Zvi

Please let me know which defragggers will move system and hidden files!
Also mention if any of them work on NTFS drives.

 

[Virus Guy]

Please let me know which defragggers will move system and hidden
files!

I sometimes bring up a list of all folders/files on the drive (using
search->find->files/folders) and high-light them all as a group,
right-click on them (then wait a few minutes) then select properties
and then un-check the hidden and read-only attribute box. Some files
and directories will retain their hidden and/or read-only status, but
most won't.

So my solution is to strip the read-only and hidden status from as
many files as possible before doing a defrag. I'm not aware of any OS
(even the convoluted and over-managed XP) that depends on having some
files as being read-only or hidden.

 

[Robert Baer]

Robert Baer wrote:




I sometimes bring up a list of all folders/files on the drive (using
search->find->files/folders) and high-light them all as a group,
right-click on them (then wait a few minutes) then select properties
and then un-check the hidden and read-only attribute box. Some files
and directories will retain their hidden and/or read-only status, but
most won't.

So my solution is to strip the read-only and hidden status from as
many files as possible before doing a defrag. I'm not aware of any OS
(even the convoluted and over-managed XP) that depends on having some
files as being read-only or hidden.

Sneaky!
Thanks.

 

[* * Chas]

I sometimes bring up a list of all folders/files on the drive (using
search->find->files/folders) and high-light them all as a group,
right-click on them (then wait a few minutes) then select properties
and then un-check the hidden and read-only attribute box. Some files
and directories will retain their hidden and/or read-only status, but
most won't.

So my solution is to strip the read-only and hidden status from as
many files as possible before doing a defrag. I'm not aware of any OS
(even the convoluted and over-managed XP) that depends on having some
files as being read-only or hidden.

Get a copy of the old File Manager program, Winfile.exe from NT4. It
works fine in Win2k and XP except you can't configure the toolbar.

File Manager allows easy 1 click attribute changes for a group of
highlighted files. For example when trying to delete read only leftover
installation files.

You can also do multiple pane views.

Chas.