PrevxCSI- it scans only memory?

I wonder what does this tool scans infact.
HD? My Documents? Program Files? Windows directory? System32 folder? Memory? ....

I played a bit with it. Loaded a new session of Shadow Surfer.

I used about 100 malware files( viruses, worms, adware, spyware, rootkits etc). I copied them one by one in different locations of my PC and run a scan each time. and run a scan with PrevxCSI. All malware files were dormant ofcourse.

My documents - no detection
Program files folder- no detection
Windows Directory- no detection
System 32 folder- no detection

Very strange. I did another test. I tried to see if it catches malware from memory or not. I executed two mlware samples( detectable by Prevx according to VT) and let them run in memory. I rescanned. Both were detected.

In my opinion, it was better if they would have added a scan of System32 folder as well.

 

Surprsingly it is detecting one file from root of C even though it,s not active in memory.

 

Prevx CSI looks for Primary Infectors only.

That is, malware that is either:

a. already running.
b. is pointed to by an entry in the registry that would make it run (e.g. run key).

If you look at the log you'll see the kind of places in the registry that are being examined.

Prevx CSI is not designed to seek out dorman malware or malware in archives.
It is designed to identify "infected machines", not machines that just happen to contain malware samples.

If you want to scan your entire machine and look in archives, you need to use Prevx 2.0

 

So it is sort of an on-demand version of BoClean

 

Thaks for explanation.

BTW there were no archives. I put executables directly in system32 folder. A malware exe in main system32 folder directly. I expected it to be detected.......!!