Jump to content

Recommended Posts

Posted

How does the advanced memory scanner work in ESET products?

  • ESET Insiders
Posted

Should the AMS submit suspected fileless threats for analysis?

Posted

Advanced memory scanner scans an already unpacked code in memory upon execution. For more information, read hxxp://www.eset.com/int/about/technology/.

...@OP, And also open the PDF they refer to for some more information on the technology used in the products.

Posted

A simply analogy here is a file archive. It is stored in a compressed format. An AV scanner cannot scan files in compressed format unless it first un-compresses the archive.

Likewise, malware can pack and obfuscate, i.e. hide, executable code in let's say a javascript. It does so to avoid detection by AV conventional scanning methods when downloaded. Additionally, the malicious code cannot execute until the malware unpacks and un-obfuscates the code. AMS protection will detect this activity and suspends the process so it can be scanned for malware and/or terminates the process .

When Eset states this is a post execution detection method, what is meant that the malware process has already started execution prior to the unpacking and un-obfuscating activity and some system modification might have occurred. However, this damage is usually minor in effect and easy to correct.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...