Jump to content

Scan in archives?

Recommended Posts

I was doing a quick test to see if SAS was working as it should be (I downloaded the bluescreen screensaver from Sysinternals). It was packed in a zip archive and was downloaded undetected. I figured maybe SAS would only detect it once it hit memory (as I recall, that's how SAS's realtime protection works). And sure enough, it was detected and blocked by SAS once executed. To test the scanner I did a right-click scan of the screensaver file on the desktop, and sure enough it was detected as I expected it to be, however, when I did the right-click scan on the zip file, nothing was detected, and when I executed the screensaver directly from the archive, it was blocked in memory, but SAS only got the file in the temp directory where Windows copied it to when I ran it from the zip file. This concerns me as it seems these days a lot of self-regenerating malware these days will use a similar tactic of packing itself in an archive and just executing over and over again every time the new copy is deleted or blocked. I appreciate any feedback and I don't intend this to be a complaint, I was just wondering why SAS operates this way. Thanks in advance.

We don't scan inside archives - really don't see malware, except for tests such as yours with real malware in archives like that on live systems.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...