Jump to content
Seth

Scanning VS Real time protection.

Recommended Posts

Nick,

Is it possible for certain malware to get by the real time protection, yet be caught by a scan?

Thanks

Share this post


Link to post
Share on other sites
Nick,

Is it possible for certain malware to get by the real time protection, yet be caught by a scan?

Thanks

That is "possible" - for example : if the files are dropped by something we don't detect and then the scan could find the samples when the scan was executed.

Share this post


Link to post
Share on other sites
Nick,

Is it possible for certain malware to get by the real time protection, yet be caught by a scan?

Thanks

That is "possible" - for example : if the files are dropped by something we don't detect and then the scan could find the samples when the scan was executed.

But if real time uses the same signatures as the scan, then why wouldn't real time have caught it?

Share this post


Link to post
Share on other sites
Nick,

Is it possible for certain malware to get by the real time protection, yet be caught by a scan?

Thanks

That is "possible" - for example : if the files are dropped by something we don't detect and then the scan could find the samples when the scan was executed.

But if real time uses the same signatures as the scan, then why wouldn't real time have caught it?

I am referring to a "dropper" or "downloader" that we may not detect - but will drop or download files we do detect.

Share this post


Link to post
Share on other sites
Nick,

Is it possible for certain malware to get by the real time protection, yet be caught by a scan?

Thanks

That is "possible" - for example : if the files are dropped by something we don't detect and then the scan could find the samples when the scan was executed.

But if real time uses the same signatures as the scan, then why wouldn't real time have caught it?

Ok. That makes sense.

Thanks.

Share this post


Link to post
Share on other sites

FYI Seth

Back a while i was tracking around 6 unique z-lob/smitfraud type infection sources(commonly known as free pr0n codec's :wink: )

At one point the droppers(z-lob trojans) were getting a fresh lick of paint every 3-5hrs inorder to generate new file MD5's and elevate their chance of bypassing signature based defender's to deploy their payload.

Oddly enough the imported infection smitfraud type/fake alert component files got a fresh lick of paint every 12-14 days by my observations/findings.

IRC Nick must have made some smart rules for these badboys because i was running the droppers for harvesting purposes of the payload and SAS free was cleaning up the payload(infection) files that were at the time of testing unknown or barely known at VirusTotal service( mixed AV/AT/ASW databases) :shock::P

http://www.virustotal.com/en/indexf.html

Mr isamini.exe,psmgr.exe,isadd.dll and renamed freinds were being expunged even if they were fresh off the malware servers with a new lick of paint :P

http://www.castlecops.com/postlite178872-zlob.html

http://www.castlecops.com/postlite178875-zlob.html

*if you check that timeline(date) at MIRT malware listserve there were 9 files( z-lob dropper's and infection component files) uploaded with between 0-5 hits from the databases at VT so these files were * very new* editions.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...