Frost 0 Posted March 18, 2016 Posted March 18, 2016 How does the advanced memory scanner work in ESET products?
Administrators Marcos 5,468 Posted March 18, 2016 Administrators Posted March 18, 2016 Advanced memory scanner scans an already unpacked code in memory upon execution. For more information, read hxxp://www.eset.com/int/about/technology/.
ESET Insiders toxinon12345 32 Posted March 18, 2016 ESET Insiders Posted March 18, 2016 Should the AMS submit suspected fileless threats for analysis?
SweX 871 Posted March 19, 2016 Posted March 19, 2016 Advanced memory scanner scans an already unpacked code in memory upon execution. For more information, read hxxp://www.eset.com/int/about/technology/. ...@OP, And also open the PDF they refer to for some more information on the technology used in the products.
itman 1,807 Posted March 19, 2016 Posted March 19, 2016 A simply analogy here is a file archive. It is stored in a compressed format. An AV scanner cannot scan files in compressed format unless it first un-compresses the archive. Likewise, malware can pack and obfuscate, i.e. hide, executable code in let's say a javascript. It does so to avoid detection by AV conventional scanning methods when downloaded. Additionally, the malicious code cannot execute until the malware unpacks and un-obfuscates the code. AMS protection will detect this activity and suspends the process so it can be scanned for malware and/or terminates the process . When Eset states this is a post execution detection method, what is meant that the malware process has already started execution prior to the unpacking and un-obfuscating activity and some system modification might have occurred. However, this damage is usually minor in effect and easy to correct.
Recommended Posts