SUPERAntiSpy Posted November 14, 2008 I was doing a quick test to see if SAS was working as it should be (I downloaded the bluescreen screensaver from Sysinternals). It was packed in a zip archive and was downloaded undetected. I figured maybe SAS would only detect it once it hit memory (as I recall, that's how SAS's realtime protection works). And sure enough, it was detected and blocked by SAS once executed. To test the scanner I did a right-click scan of the screensaver file on the desktop, and sure enough it was detected as I expected it to be, however, when I did the right-click scan on the zip file, nothing was detected, and when I executed the screensaver directly from the archive, it was blocked in memory, but SAS only got the file in the temp directory where Windows copied it to when I ran it from the zip file. This concerns me as it seems these days a lot of self-regenerating malware these days will use a similar tactic of packing itself in an archive and just executing over and over again every time the new copy is deleted or blocked. I appreciate any feedback and I don't intend this to be a complaint, I was just wondering why SAS operates this way. Thanks in advance. We don't scan inside archives - really don't see malware, except for tests such as yours with real malware in archives like that on live systems. Share this post Link to post Share on other sites