How important is to scan memory?

I have set up my Nod according to Blackspears Max Setting which is fine for normal scans of my HD.
Just wondering how important it is to scan memory when doing a scan of an individual file via rightclick? Scanning memory always takes a bit of time - irrelevant when scanning the whole drive but annoying when waiting to open a word or exl file. I guess under normal circumstances these files would have been checked by AMON, DMON or potentially IMON anyway but being paranoid I often prefer to have another manual scan of this file.
Do I need to keep memory scanning ticked for this purpose or can I create a new profile without this and still be safe?

 

I have sent Blackspear a PM with info to set up automated memory scan on PC bootup,but he didn't published it in his thread...

 

You can create a new profile where you uncheck "Scan operating memory"..
In my opinion, you will be safe because there is still AMON scanning all file operations..

 

For the right click check I disabled the Memory scan...

 

Thanks guys - I think that's what I do then too.

 

Yup me too

 

The significance of memory scanning is if you encounter malware that has been packed or encrypted to evade file scanners. In such cases, it may only be picked up by a memory scanner when it is unpacked/decrypted (which is why anti-trojan software always includes a memory scanner - and in the case of BOClean is almost exclusively a memory scanner).

This problem is most likely to occur with non-replicating malware (e.g. trojans rather than viruses or worms) since the replicating stuff is more likely be picked up by AV companies first and added to their databases. So the signficance of a memory scanner should be related to the probability of encountering such a trojan.

 

Paranoid2000 - let me clarify this.
Are you saying if I use the shortcut for right-click without memory scanning and the goodie is a non-replicating packed trojan NOD may not pick it up when opening the file? However, keeping the max setting with memory scanning every time I would avoid that scenario?

 

Malware authors now routinely use runtime compressors (like UPX or ASPack) or encryptors to make their wares appear different and thereby avoid any scanners (the really good ones will write their own compression/encryption routines). A file scanner will only detect such if it has an equivalent unpacker/decryptor which allows it to see the underlying code or if the vendor has picked up the encrypted/compressed version and created a separate signature for it.

A memory scanner should notice that the malware is self-modifying as it decrypts/unpacks itself and should be able to intercept and scan the actual code once this is done, regardless of the method used. This is not without risk since it means allowing the malware to run (at least to the extent of unpacking/decrypting) and other techniques could be used to fool a memory scanner also. However in the case of real world trojan detection, memory scanners do have a higher detection rate than file scanners.

So in the case of replicating malware - which tends to spread far and wide - there is a good chance of the second scenario happening (new sig for obfuscated code). For non-replicating malware, you may well be the first person to encounter it and this presents the toughest situation for any scanner. Your chance of encountering such depends on your online habits (e.g. do you download from anonymous sources like P2P, IRC, Usenet?) so the importance of memory scanning likewise depends on these.

This applies to all anti-virus/anti-trojan scanners, not just NOD32 and those who consider themselves high-risk may wish to add an anti-trojan scanner or process protection software like Process Guard or System Safety Monitor.