Startup Scanner?

[0xDEADBEEF 43]

I noticed even with the realtime file scanning disabled, there is something called startup scanner that will detect some threat before the advanced memory scanner kick in. Is the startup scanner a special monitoring layer? What's the difference between it and the realtime scanner? How to disable/configure it?

Edited July 8, 2018 by 0xDEADBEEF

[Marcos 5,074]

It's another protection layer. While AMS scans process memory upon execution, the startup scan (available as tasks in scheduler) scans files registered in startup locations and memory after each module update and user's logon.

[0xDEADBEEF 43]

4 minutes ago, Marcos said:

It's another protection layer. While AMS scans process memory upon execution, the startup scan (available as tasks in scheduler) scans files registered in startup locations and memory after each module update and user's logon.

Cool thanks. Wondering if this is the settings for configuring the startup scanning?

BTW, am I correct that pausing the protection using the right click menu in the tray will also pause startup scan? Seems there is no standalone knob for turning this on or off in the setting menu.

[Marcos 5,074]

That is correct. Startup scan tasks can be disabled in Scheduler, however, we don't recommend that. As a result, if you had a new malware running in memory and ESET would update modules to recognize it, it might not be recognized until a computer restart.

Pausing protection has no effect on startup scans, AMS, etc. It simply pauses real-time protection, web and email protection, document protection, etc.

[itman 1,659]

And if you're really "paranoid" about startup based malware, you can configure a start up scan to run prior to any user logon activity as shown in the below screen shot. Note that this does slow down your OS boot to desktop a tad. Also I would make scan priority on this "highest":

Edited July 8, 2018 by itman

[0xDEADBEEF 43]

4 minutes ago, Marcos said:

Pausing protection has no effect on startup scans, AMS, etc. It simply pauses real-time protection, web and email protection, document protection, etc.

Hmm, I saw behaviors different from your description in EES7. If I simply disable the realtime monitoring permanently in the setting, executing an old cerber sample will result in a detection from a start up scanner. However, pausing the protection using the tray menu (without disabling realtime monitoring in the setting) moves the detection of the same sample to AMS. That's why I think pausing the protection also pause the startup scanner. Other samples have similar situation.

[itman 1,659]

5 minutes ago, 0xDEADBEEF said:

However, pausing the protection using the tray menu (without disabling realtime monitoring in the setting) moves the detection of the same sample to AMS. That's why I think pausing the protection also pause the startup scanner.

If you are referring to any startup scan that might run after realtime scanning has been disabled via desktop option, it not running seems reasonable to me. However, the realtime scanner if paused will auto activate at the next subsequent system boot. Therefore, any scheduled startup scan should run unimbedded.

[0xDEADBEEF 43]

9 minutes ago, itman said:

If you are referring to any startup scan that might run after realtime scanning has been disabled via desktop option, it not running seems reasonable to me. However, the realtime scanner if paused will auto activate at the next subsequent system boot. Therefore, any scheduled startup scan should run unimbedded.

The confusing part is:

1. disabling realtime filesystem protection permanently (means reboot will keep it off) will still have startup scan detection. 

2. there is no setting to enable/disable startup scan in the settings. It will be triggered when certain types of malware execute (likely the ones that try to be persistent), so it is triggered by a malware event, instead of a periodic task. I have yet tried to disable the related entries in the task schedule to see if they are related

3. pausing protection will then have no alerts from either realtime scan or startup scan. AMS still works though. So that's why I think pausing protection also pauses startup scan.

4. And startup scan also scans memory object (I saw threat detected in memory alert from startup scan for some samples). Does it mean that startup scan includes both file scan like realtime monitoring and memory scan like AMS?

I saw no document documenting this scanner.. that's why I post the question here.

Edited July 8, 2018 by 0xDEADBEEF

[itman 1,659]

12 minutes ago, 0xDEADBEEF said:

there is no setting to enable/disable startup scan in the settings.

You do so via the Eset GUI -> Tools -> More Tools -> Scheduler and then just disable (uncheck) any scans you don't want to run.

[itman 1,659]

26 minutes ago, 0xDEADBEEF said:

Does it mean that startup scan includes both file scan like realtime monitoring and memory scan like AMS?

Makes sense to me it would. Don't see how Eset could scan OS based tasks used as part of the user logon processing. These would already be running by the time the startup scan initiated. As such, AMS would be deployed to scan these.

[0xDEADBEEF 43]

31 minutes ago, itman said:

You do so via the Eset GUI -> Tools -> More Tools -> Scheduler and then just disable (uncheck) any scans you don't want to run.

though I don't think disabling the scheduler will disable the malware triggered startup scan detection.. I will do an experiment tonight and see 

 

Actually I am more interested in the triggers of such scanner (not the triggers by the scheduled task)

Edited July 8, 2018 by 0xDEADBEEF

[itman 1,659]

1 hour ago, 0xDEADBEEF said:

Actually I am more interested in the triggers of such scanner (not the triggers by the scheduled task)

I assume you are referring to AMS. Eset official description:

Quote

Advanced Memory Scanner works  in combination with Exploit Blocker to provide better protection against malware that has been designed to evade detection by antimalware products through the use of obfuscation and/or encryption. In cases where ordinary emulation or heuristics might not detect a threat, the Advanced memory Scanner is able to identify suspicious behavior and scan threats when they reveal themselves in system memory. This solution is effective against even heavily obfuscated malware. Unlike Exploit Blocker, this is a post-execution method, which means that there is a risk that some malicious activity could have been performed prior to its detecting a threat. However in the case that other detection techniques have failed, it offers an additional layer of security.

My best guess lies is the phrase  "designed to evade detection by antimalware products through the use of obfuscation and/or encryption." These techniques are primarily used in scripts but can be present in other types of downloads. The "trigger" I strongly suspect is when heuristic scanning sees code patterns indicative of the above methods, it will call AMS to monitor the process after it starts executing.

Also realtime scanning has Yara like behavior signatures. Possible if one of those are triggered, it could fire up AMS for a "look see."

Edited July 8, 2018 by itman

[0xDEADBEEF 43]

31 minutes ago, itman said:

I assume you are referring to AMS

Not really.. I kinda get what AMS's trigger is. The startup scanner is a bit different.

My current observation is the startup scanner encompasses two major scanning methods: the file scan and the memory scan. When the realtime monitoring is disabled, not all malware that can be detected by the default scan engine will trigger the startup scanner detection. I can imagine if a malware drops a binary to a key location (e.g. some autorun folder), it will trigger a file scan activity from startup scanner. I am not sure about any other cases. Behaviorally, It is not as trivial as the realtime monitoring that one can expect a scan whenever a file is created/executed.

Edited July 8, 2018 by 0xDEADBEEF

[itman 1,659]

14 hours ago, 0xDEADBEEF said:

My current observation is the startup scanner encompasses two major scanning methods: the file scan and the memory scan. When the realtime monitoring is disabled, not all malware that can be detected by the default scan engine will trigger the startup scanner detection.

I think we need to backup a bit.

The AV scan engine and realtime scanning are two distinct entities. Disabling realtime scanning in Eset and most other AV products for that matter, does not disable the AV scan engine. Case in point in Win 10 is Windows Defender. When it detects another AV solution, its realtime scanning is disabled. However, its AV engine still loads at boot time as long as the "periodic scanning" option is not disabled. Likewise if Eset's realtime scanning is disabled, it's AV engine is still loaded at boot time and is available for any type of manually initiated scanning including startup scanning. All of Eset's manually initiated scanning methods would have to be disabled to completely negated the use of the Eset AV engine.

As far as malware behavior "triggering" realtime scanning, it is not a factor. Realtime scanning in Eset is triggered by any of the following activities depending on options selected: file open, creation, execution, or removable media access. During file scanning, heuristics and sandboxing are employed which depending on process behavior could trigger further Eset monitoring activities. 

As far as Eset startup scanning goes, it is by default using the Smart scan profile. That profile by default will scan boot sectors/UEFI and memory in addition to files. By default, the startup scan runs after user logon.

The question to be asked is if startup scanning can detect malware loading via WMI, task scheduler, the registry, system directories, etc.. I really don't see how it can other than by memory scanning since processes from the aforementioned areas may already have loaded and are executing when startup scanning initiates.   

Edited July 9, 2018 by itman