AMS(Advanced Memory Scanner) Question

[Frost 0]

How does the advanced memory scanner work in ESET products?

[Marcos 5,070]

Advanced memory scanner scans an already unpacked code in memory upon execution. For more information, read hxxp://www.eset.com/int/about/technology/.

[toxinon12345 32]

Should the AMS submit suspected fileless threats for analysis?

[SweX 871]

Advanced memory scanner scans an already unpacked code in memory upon execution. For more information, read hxxp://www.eset.com/int/about/technology/.

...@OP, And also open the PDF they refer to for some more information on the technology used in the products.

[itman 1,659]

A simply analogy here is a file archive. It is stored in a compressed format. An AV scanner cannot scan files in compressed format unless it first un-compresses the archive.

Likewise, malware can pack and obfuscate, i.e. hide, executable code in let's say a javascript. It does so to avoid detection by AV conventional scanning methods when downloaded. Additionally, the malicious code cannot execute until the malware unpacks and un-obfuscates the code. AMS protection will detect this activity and suspends the process so it can be scanned for malware and/or terminates the process .

When Eset states this is a post execution detection method, what is meant that the malware process has already started execution prior to the unpacking and un-obfuscating activity and some system modification might have occurred. However, this damage is usually minor in effect and easy to correct.