Originally posted by: Captante
Originally posted by: lusher
Originally posted by: bsobel
Originally posted by: Assassimon
Anyone know a good virus scanner that just scans, I don't want protection thats always on, I don't like background processes. every scanner I can find has protection that I don't want. any ideas?
Software -> Security
-Schadenfroh
Get over it, most heuristic scanners need to see the programs execution and your simply not going ot be protected iwth a scan only solution.
With all due respect, that's sheer nonsense. With very very few exceptions,
heuristics do not depend on program execution and they work equally well when scanning on demand.
Explain please ... As far as I know heuristic detection depends on recognition of virus-like behavior & without being active when a program starts I can't see how this could work effectively.
Some basics. Normal signatures work by tagging a characteristic portion of the malware, of course, this has to be something really eseential otherwise they can be fooled by simple hex editing. Other tricks include packing malware....
Now heuristics just means rules of thumbs which is extremely generic but when we say AV detects somethings by heurstics, in general we are talking about passive heuristics (all avs have this except maybe AVAST which only has generic signatures). In passive heuristics, what the antiviruses do is instead of targetting a specific malware (or a generic family of malware- so called generic signatures sometimes confused with heuristics) to try to scan the code for specific segment of code or certain functions that are likely to be used by malicious programs.
Other data points that are used in heuristics to help decide if something is fishy include the presence of a very unusual or illegally hacked packers (which is used to obscure code contents), size of the file, strings in the code, presence of digital signatures and hundreds of different other factors (they are generally not disclosed becuase knowing this would allow vxers to work around it). All this is done WITHOUT the need to execute the file.
This can be very prone to false positives of course, for example AVG is able to scan and detect code functions for programs that add themselves to various autostart entries, and if this exe also happened to be packed , AVG heuristics will kick in....
In some cases, certain packers are used only by malicious hackers, and so they are specially targetted by flagging the packing stub. Even if you pack a perfect innocent file with that packer, your Av heuristics will flag it.
The other type of heuristics is active heuristics. This generally involves emulation of the code. Because code can be easily obscured that makes it difficult for passive heuristics to "read the code" , what they do is to trick the exe to run in an emulated/virtual (there's a difference but don't ask me what) environment which then allows them to actually see what is going on.
This is a particularly useful trick against malware that are packed with unusual/strong packers to evade signatures. Of course some antiviruses have specific static unpackers that can handle the packer, but some are very difficult to work through and then there are unknown packs. Emulation can be a solution.
The malware "thinks" it is running, so it unpacks itself and is exposed the normal signatures kick in and detect it. As you can imagine active heuristics is even more difficult to do of course and there are anti-emulation tricks as well. Not all/many AVs do this compared to passive heuristics and obviously this trick can be used for on demand scanning as well.
In either case, the exe itself is not really run. As such , except in cases of bugs (which are not as rare as you might think), the real time and on demand results of AVs do not differ.
Surely you know that The real time AV doesn't really do anything special except that it hooks to the OS and checks when a certain file is going to be executed (or created or read depending on av), it will then suspend this operation for a while , start running the on demand scanner on the file, and if it checks out, it allows it to run. If you manually run the scan on a file, you get the exact same results.
That said, recently a very few antiviruses like KAV's PDM and FSecure's Deepguard have started adding an additional layer. These are execution level HIPS/Behavior blockers. They actually let the malware run and try to figure out using some smart expert system if they are malware. The risk of this strategy is obvious, since the code is already run, the execution level HIPS/behavior blocker might be too slow to stop it from doing damage as compared to normal AV functions which intercept and stop the malware before it is run.
Standalones like Norton Antibot and the free Threatfire (formerly cyberhawk) work similarly. This is perhaps what you are thinking of. But to my knowledge, nobody uses the term heuristics for this layer (though obviously it fits as well) because of the well established meaning of that term for AVs.
They differ from System Safety Monitor (SSM), ProcessGuard etc, because SSM has no intelligence whatso ever behind the program and the user has to decide how to respond to prompts.
Also there is the issue of memory scanners, but I don't think I want to touch that issue, but suffice to say, many scanners don't really scan the memory but rather they scan the binary files of the processes in memory....
I hope this clears up this misunderstanding.
Edit: For example what if a piece of malware for which your scanner has no signature available executes at startup, does its dirty-work & then terminates ... scanning after the fact would likely prove worthless.
1. If the AV has no signatures for it, and the heuristics miss it, the AV will not catch it, real time or not.
2. Real time protection is useful in that you don't have to REMEMBER to scan any file before running it, because your AV does it automatically even if you forget...
PS If you don't believe me, I don't care..
Facebook
Twitter