I'm curious as to how Ewido claims to be able to detect unknown malware. As i understand (bear in mind i have only very briefly testsed the free version, though this at least had the real time component active for a small period) all Ewido is doing is detecting that a new process starts and running a scan (be it tradtional signature or heuristic) on the staring process. I have come to this conclusion because several self coded malware were not prevented while the real time component was active. Is my understanding of this correct, is the real time component an on demand scanning facility, or is it something more?