How important is to scan memory?

Discussion in 'NOD32 version 2 Forum' started by beethoven, Aug 23, 2005.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,079
    I have set up my Nod according to Blackspears Max Setting which is fine for normal scans of my HD.
    Just wondering how important it is to scan memory when doing a scan of an individual file via rightclick? Scanning memory always takes a bit of time - irrelevant when scanning the whole drive but annoying when waiting to open a word or exl file. I guess under normal circumstances these files would have been checked by AMON, DMON or potentially IMON anyway but being paranoid I often prefer to have another manual scan of this file.
    Do I need to keep memory scanning ticked for this purpose or can I create a new profile without this and still be safe?
     
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I have sent Blackspear a PM with info to set up automated memory scan on PC bootup,but he didn't published it in his thread... :doubt:
     
  3. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    You can create a new profile where you uncheck "Scan operating memory"..
    In my opinion, you will be safe because there is still AMON scanning all file operations..
     
  4. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,462
    For the right click check I disabled the Memory scan... ;)
     
  5. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,079
    Thanks guys - I think that's what I do then too. :D
     
  6. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Yup me too
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The significance of memory scanning is if you encounter malware that has been packed or encrypted to evade file scanners. In such cases, it may only be picked up by a memory scanner when it is unpacked/decrypted (which is why anti-trojan software always includes a memory scanner - and in the case of BOClean is almost exclusively a memory scanner).

    This problem is most likely to occur with non-replicating malware (e.g. trojans rather than viruses or worms) since the replicating stuff is more likely be picked up by AV companies first and added to their databases. So the signficance of a memory scanner should be related to the probability of encountering such a trojan.
     
  8. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,079
    Paranoid2000 - let me clarify this.
    Are you saying if I use the shortcut for right-click without memory scanning and the goodie is a non-replicating packed trojan NOD may not pick it up when opening the file? :( However, keeping the max setting with memory scanning every time I would avoid that scenario?
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Malware authors now routinely use runtime compressors (like UPX or ASPack) or encryptors to make their wares appear different and thereby avoid any scanners (the really good ones will write their own compression/encryption routines). A file scanner will only detect such if it has an equivalent unpacker/decryptor which allows it to see the underlying code or if the vendor has picked up the encrypted/compressed version and created a separate signature for it.

    A memory scanner should notice that the malware is self-modifying as it decrypts/unpacks itself and should be able to intercept and scan the actual code once this is done, regardless of the method used. This is not without risk since it means allowing the malware to run (at least to the extent of unpacking/decrypting) and other techniques could be used to fool a memory scanner also. However in the case of real world trojan detection, memory scanners do have a higher detection rate than file scanners.

    So in the case of replicating malware - which tends to spread far and wide - there is a good chance of the second scenario happening (new sig for obfuscated code). For non-replicating malware, you may well be the first person to encounter it and this presents the toughest situation for any scanner. Your chance of encountering such depends on your online habits (e.g. do you download from anonymous sources like P2P, IRC, Usenet?) so the importance of memory scanning likewise depends on these.

    This applies to all anti-virus/anti-trojan scanners, not just NOD32 and those who consider themselves high-risk may wish to add an anti-trojan scanner or process protection software like Process Guard or System Safety Monitor.
     
Thread Status:
Not open for further replies.