I would prefer if winpooch keep some database of md5 sums of files it access for faster scanning. That way it would give him an ability similar to an old InoculateIt program that checked whether the files were altered. InoculateIt used signing of files though but md5 is second best to that strategy. That way you wouldn't have to scan all file accessed but only those for which you don't have md5 (meaning that they are new or previously weren't accessed) or whose md5 is changed. Also making winpooch to run first scan after installation during reboot before windows start would save us a lot of pain as that md5 database and those tables with AV states for files proposed above could be made on the same run. I see the added benefit to making those tables to expire after some period of time but wouldn't regular monthly full scan done as I wrote (something like safe or paranoid mode) serve the same purpose?