BleepingComputer.com: Better To Scan In Safe Mode Or Regular Mode For Virus/malware?

Just a general question:

1. When doing a routine scan for viruses and malware, etc. (and just generally speaking), is it better to scan in safe mode or regular mode?

2. If you scan in safe mode, is there anything that wouldn't show up (that you could potentially miss) that *would* show up in regular mode?

3. Or is safe mode just better all around, and everything is covered (plus more) that you'd find with scanning in regular mode?

(I'm referring to scanning with AVG A/V, AVG Anti-Spyware, SpyBot (old version), and Ad-Aware SE.)

Thanks!

Safe Mode is a troubleshooting mode designed to start Windows with minimal drivers and running processes to diagnose problems with your computer. This means some of the programs that normally run when Windows starts will not run.

The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using "Safe Mode" reduces the number of modules requesting files to only the essentials to make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files. Using your anti-virus and anti-malware tools, in "Safe Mode" also speeds up the scanning process. Read "Beginners Guides: Windows XP Safe Mode Explained" and "What is 'Safe Mode' used for and why?"

This post has been edited by quietman7: 23 October 2007 - 10:56 AM

Thanks for the reply. I think we discussed the general terms of what you posted on another thread. But a question I asked at the time, but never heard back from you on, was the fact that when I scan my computer in safe mode with AVG A/V or Anti-Spyware -- it actually takes 3 times as long (if not longer) than if I scan in normal mode. Why would this be the case?

And just to verify, is it correct then that there is no benefit to scanning in regular mode as compared to safe mode in terms of "bad stuff" not getting spotted by the scanning program, etc.? There's nothing that gets missed in safe mode that would get picked up in regular mode, is that correct?

Thanks again!

If the malware is not related to a running process it probably will not make a difference if doing your scan in normal or safe mode. If the security tool your using does not include definitions for the malware, then they may not detect or remove it regardless of what mode your using. Most anti-rootkit scanners will not work in safe mode because they utilize a driver which is required for the scanning process and that driver will not load in safe mode. Further, there are rootkit variants (haxdoor) that can run in safe mode so the usual reason for running a scan in that mode does not apply.

Generally speaking, safe mode is more effective but that does not mean you have to use it everytime you perform a scan. Again, generally speaking, doing your scans in safe mode is usually faster but speed depends on a variety of factors.

• The anti-virus program itself and how its scanning engine is designed to scan.
  
• Deep scanning or quick scanning.
  
• What action has to be performed when malware is detected.
  
• Competition between the scanner and other applications for system resources.
  
• Your computer's hard drive size.
  
• Disk used capacity (number of files) that have to be scanned.
  
• Running processes in the background.
  
• Interference from malware.
  
• Interference from the user.

bloomcounty, on Oct 23 2007, 07:14 PM, said:

I find the same thing. In fact pretty well everything I do in safe mode is painfully slow (and has always been so). Someone once explained to me that this was probably because a graphics driver was disabled in safe mode, though I have no idea whether this is correct.