Jump to content
Seth

Quick scan not scanning the temps.

Recommended Posts

Nick,

I tested this by installing NEED2FIND and dropping ND2FNBAR.DLL into the user temps. SAS found ND2FNBAR.DLL in the root temp, but not in the temp folders of the accounts.

So what's up with that :D.

EDIT: SAS does scan the temps on a quick scan. Please read on.

Share this post


Link to post
Share on other sites

Just speculating here....Possibly as a result of the targeting strategy might cause this scenario.

What do i mean by this :shock:

Take a computer infected with common garden Vundo and copy the system32 dropped dll into My Documents/Samples folder.Run SAS full scan and note that 1 file is detected(the active 1 in system32 folder)where as the copied version is not :?

This happens occaisionaly with SAS in my experiences and the only reason i can guess that it occurs is because of how SAS HQ has targeted the file in its native infection location and not in a custom location where it would not usually appear/run from)

Seth to best test that theory would be the next time you have known temp folder dwelling malware is to compare both full & quick scan.I will try to do likewise on my hunting/collection salvo's 8)

If this bears fruit then you have your answer....

Share this post


Link to post
Share on other sites

Good call you guys.

It turns out my test subject wasn't the most appropriate.

I used N2PLUGIN.DLL instead, and dropped that in the account temps. I then ran a Quick Scan and sas found it in each account.

So yes, sas does indeed scan the temps on a Quick Scan.

Thank you fatdcuk and nosirrah.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×