Today some nasty malware named Win32/TrojanDownloader.Small.NFG tried to infiltrate into my computer via an e-mail message through POP3. Fortunately ESET Smart Security did its job and caught that threat. However, I would like to also see Prevx doing something. So my question is: 1) Does Prevx check the e-mail communication (POP3) in real time? 2) If so, why ESS outran Prevx and was the first to catch this threat? 3) If Prevx is not scanning mails in real time, how and when Prevx will catch infected mails? Thx for clarification.
Prevx 3 isn't monitoring the communication - as far as I think. That would just be waste of resources. As long as the malicious file is just "sleeping" on your hard drive as mail-attachment, it does no harm. If you (or who-/whatever) would try to execute it, then Prevx 3 would (hopefully) block it.
Before real-time email scanning became the rage with some AV vendors, the mantra used to be save and scan attachments before even thinking of opening them. I used to advise friends this in the hope they wouldn't just blindly open such attachments even from people they know. I believe that kind of thinking should still apply today. Unfortunately, it isn't and is one of the reasons why you hear media reports of infections spreading across networks. Today most of the infected attachments I've seen do look as if they come from unknown senders.
If you open or run the attachment, the AVs will automatically scan it. - So where is the benefit of scaning before opening? Best is to let them stay closed.
Thx for the given thorough explanation that was supported by PrevxHelp as well Very clear, so no other question.
The only reason I said to scan it first was to avoid opening or running the attachment thus keeping it closed as you said, but I take your point.
Scanning before open is a valid point for exploits which would come directly from the mail reader (there have been some in the past) but Prevx blocks code execution at all levels so we would still intercept it. Our mentality is generally to scan a file as little as necessary - in most cases just when it could potentially become a threat to your system. We are able to accomplish this because of the design of our behavior monitoring and the fact that although we don't scan a file as soon as it is written or read, we still do see those events and can act upon them if needed.
