Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"On demand" Scans , why ?


  • Please log in to reply
24 replies to this topic

#1 nCharge

nCharge

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 11 October 2012 - 01:26 PM

Hello , I am talking here about the scans you can perform by clicking "Perform full system scan".
I mean , in my opinion , there is no interest scanning this way , because you have a real time scanner that analyses every single file that is being read.
I mean that if there are any malicious activities in background or not , your real time scanner should intercept it.
However , I know we can discover infected files after a manual full scan.

My thoughts :
1-If we do have infected files after a manual full scan (not detected by real time scanner) , it can either be a remnant (registry key/single file) of a previous eradicated malware OR a non-active threat (the file itself is infected but is not doing any harm to the PC , ex:Random infected EXE).

2-But in every case those files are UNACTIVE , meaning that they're not running.(Because your real time scanner would be showing up something if they ware active).

What are your opinions ?

BC AdBot (Login to Remove)

 


#2 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:06:03 AM

Posted 11 October 2012 - 01:52 PM

A real-time scanner generally is less thorough than a full system scan in its analysis of files and registry entries. Most realtime scanners will skip files which are unlikely to carry an infection (like files ending in .txt for example) and don't perform the full battery of analyses that the scanner engine is capable of.

In a sense, realtime scanning can be thought of as a security guard whereas a full system scan would be a SWAT team.

#3 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 11 October 2012 - 02:17 PM

I agree , but what if we already selected "Guard : Scan all files write/read" ?

#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:06:03 AM

Posted 11 October 2012 - 03:07 PM

Then the scanner likely scans all files but not in depth. Malware scanners need to balance speed with depth for real time scanning so only the fastest analyses are usually performed.

#5 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 11 October 2012 - 04:14 PM

Wow , so infected files recognized as infected while full scanning can be all invisible when in real time mode ? Scary...

What can you say about my point 1 and 2 ?

Edited by nCharge, 11 October 2012 - 04:14 PM.


#6 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:03 AM

Posted 11 October 2012 - 05:37 PM

Hello , I am talking here about the scans you can perform by clicking "Perform full system scan".
I mean , in my opinion , there is no interest scanning this way , because you have a real time scanner that analyses every single file that is being read.
I mean that if there are any malicious activities in background or not , your real time scanner should intercept it.
However , I know we can discover infected files after a manual full scan.

My thoughts :
1-If we do have infected files after a manual full scan (not detected by real time scanner) , it can either be a remnant (registry key/single file) of a previous eradicated malware OR a non-active threat (the file itself is infected but is not doing any harm to the PC , ex:Random infected EXE).

2-But in every case those files are UNACTIVE , meaning that they're not running.(Because your real time scanner would be showing up something if they ware active).

What are your opinions ?


This is possible for all kind of infected files. Real time scan checks files when file operations (read/write/copy/delete/move etc) are done on a file. Files which are not accessed by you, other programs or system are not checked by real time scan. Such files turn up when you perform a full manual scan of your system as now all the files are scanned. Even if not picked up by real time scan, all threats can cause damage to your system and should be repaired, deleted or quarantined as soon as detected.

#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:03 PM

Posted 11 October 2012 - 09:45 PM

because you have a real time scanner that analyses every single file that is being read. << Not always (never) correct - Please read on -
Hi -
Have you ever given thought as to why in Malware Removal, an Expert will often use 3 , 5 , or even 10 tools, or more, in the removal of infections ???

Simple - Not all Infections/Malware are created equal - All Malware has its own signature that must be found and then treated in a way that will remove it from the computer, without harming any of the normal computers Operating System, and then returning the O/S back to a stable (original) condition.
Up to 90% of people generally do not have a full active armoury of Anti Malware tools installed on their own computer at any given time -

Do you have the "best" Antivirus (how do you know) and is it updated right now ? Do you have an active Antimalware program, and is it updated right now ? Are you aware that companies like Malwarebytes will do a full update at least once a day, and in that day they may do up to 15 - 20 minor updates if a new infection is added to their bank ??

An Antivirus program is "often" over rated as the only way to prevent infections, while there are many other types of programs that are required to keep infections from installing.
Is your Hosts file fully updated ? A small thing, but we treat many computers who have had this corrupted by a minor infection, which then allows other problems to enter.

Also as per Romeo29 re: Hidden / Inactive infections > Such files turn up when you perform a full manual scan of your system as now all the files are scanned.

So there is always a long tale of woe behind every infected computer (I did'nt do anything), but the problem was already there last week ..................

Regards -

#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 PM

Posted 12 October 2012 - 04:58 AM

My thoughts :
1-If we do have infected files after a manual full scan (not detected by real time scanner) , it can either be a remnant (registry key/single file) of a previous eradicated malware OR a non-active threat (the file itself is infected but is not doing any harm to the PC , ex:Random infected EXE).

2-But in every case those files are UNACTIVE , meaning that they're not running.(Because your real time scanner would be showing up something if they ware active).


1) No, it can also be malware that was not detected at infection time by the real-time scanner, because the AV had no signatures to detect it at that time.

2) No, it could be ACTIVE. It could have tampered with your AV, so it does not detect it in real-time. It is also not uncommon for AV products to have different real-time and manual scanning profiles. For example, real-time could exclude some folders that are not excluded by a manual scan.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 12 October 2012 - 11:41 AM

To Romeo29 :

Files which are not accessed by you, other programs or system are not checked by real time scan

So , isolated infected file not checked by real time scanner = not being accessed = unactive (a bit harmless) ?

To noknojon :
Yes many tools to REMOVE and not to DETECT ! I'm more into the detection thing , but you're right Antivirus are not the only tool we have as "barriers" , and even if you have the lastest update , you can catch a new virus variant which is bad !

TO Didier Stevens :
Look at my reply to Romeo29
And that makes the real time scanner compromisable , what about the full scanning thing ?

#10 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:03 AM

Posted 12 October 2012 - 01:13 PM

To Romeo29 :

Files which are not accessed by you, other programs or system are not checked by real time scan

So , isolated infected file not checked by real time scanner = not being accessed = unactive (a bit harmless) ?


Virus is a program. Inactive virus = virus program not running. Active virus = running. Its alike saying Notepad is active or inactive.Of course, when virus is active, it is causing damage to your system and when its inactive its just sitting there.

That brings another question. Why would malware file be inactive? If your computer has malware infection, then there is high probability that it is running in full swing and is active.

#11 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 12 October 2012 - 03:57 PM

Well , I know I have encountered unactive malware file not detected by the real time scanner (and I guess it was harmless) , it was a .dll file with adware.

Meaning that without his .exe and all that stuff , I can practically say this dll file is no threat , thus "inactive"

#12 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:03 AM

Posted 12 October 2012 - 06:26 PM

Well , I know I have encountered unactive malware file not detected by the real time scanner (and I guess it was harmless) , it was a .dll file with adware.

Meaning that without his .exe and all that stuff , I can practically say this dll file is no threat , thus "inactive"


Malware authors use new techniques everyday. So you can never assume that a DLL or some other malware related file is safe to handle.
Previously, W32.Flamer malware authors have used Windows Shell Code execution techniques to automatically run malware as soon as you open the folder containing the infected file. This vulnerability no longer exists in Windows, but it gives a reason not to handle infected files carelessly.

Read this post by Didier Stevens on his blog : http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio/
Quote from the last paragraph :

So be very careful when you handle malicious files. You could execute it inadvertently, even without double-clicking the file. That's why I always change the extension of malware (trojan.exe becomes trojan.exe.virus) and handle them in an isolated virus lab. Outside of that lab, I encrypt the malware.



#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:03 PM

Posted 12 October 2012 - 08:38 PM

.
Read this answer to find a bit more - http://www.bleepingcomputer.com/forums/topic414227.html/page__view__findpost__p__2374135

Also interesting reading Interview with Malwarebytes' founder, Marcin Kleczynski A recent article from TechSpot -

#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 PM

Posted 13 October 2012 - 03:12 AM

So , isolated infected file not checked by real time scanner = not being accessed = unactive (a bit harmless) ?


No, like I said in my first answer, your AV product can be configured differently for real time scanning and on demand scanning. Hence a file not detected by real time might be detected by on demand AND might be active.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 13 October 2012 - 04:50 PM

Thanks for the extra information and reading,

To Didier Stevens : What if real time and on demand profiles are the same (highest settings) ?

And , what I see is some PDF exploit leading to an infection.Are AVs capable of preventing these kinds of threats or will they find something only post infection ?
I mean , just by opening the folder containing the infected file can lead to an infection , with further updates , will antiviruses block the infection when opening the folder or the AV will detect something only after the infection has occured ? (real time/on demand?)

The interrogation is why a malware has not been detected at a precise moment whereas that is could be detected by an on demand scan at the same moment (same satabase version +malware is listed in the AV's database) :
-Different scanning profiles ?
-Not an AV's domain ?
-Or ?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users