Jump to content

AMS(Advanced Memory Scanner) Question

Recommended Posts

A simply analogy here is a file archive. It is stored in a compressed format. An AV scanner cannot scan files in compressed format unless it first un-compresses the archive.

Likewise, malware can pack and obfuscate, i.e. hide, executable code in let's say a javascript. It does so to avoid detection by AV conventional scanning methods when downloaded. Additionally, the malicious code cannot execute until the malware unpacks and un-obfuscates the code. AMS protection will detect this activity and suspends the process so it can be scanned for malware and/or terminates the process .

When Eset states this is a post execution detection method, what is meant that the malware process has already started execution prior to the unpacking and un-obfuscating activity and some system modification might have occurred. However, this damage is usually minor in effect and easy to correct.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...