Zasto je bitno da AV moze (i to dobro!) da skenira memoriju?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Da se ne bi Sober.p "sakrio" u njoj.

Otkriveno je da uspeh, tj. dugovecnost Sober.p crva na netu je posledica cinjenice da neki AV programi nemaju mogucnost skeniranja memorije ili ubijanja rezidentnih procesa u memoriji.

Evo sta o tome kaze Roel Schouwenberg, Kaspersky senior research engineer:

Other email worms which have used similar social engineering tactics haven't been this successful by a long shot. I think Sober.p's real success is due to something else, namely its protection mechanism.

As with previous Sober variants, Sober.p makes use of a certain mechanism to lock out any I/O access to its files.
In other words: Other programs can't access Sober's files. Not even applications running under SYSTEM account can access them while Sober is resident in memory.
This mechanism has been improved over time - earlier variants of Sober couldn't stop SYSTEM from accessing its files.

And what's the result? Very simple; if something can't be scanned, then malicious code can't be detected. This rules out the chance of Sober being detected while running an on-demand scan. So what now? This is where the quality of an anti-virus's memory scanner comes in.

First the solution needs to detect Sober running in memory, then it has to kill the processes.
This is where some antivirus programs are failing; either they don't have a memory scanner, or the scanner has limited functionality which isn't able to kill the processes.

If you aren't aware of infection, how can you take measures against it? With Sober's protection mechanism making it able to outsmart some antivirus scanners, it's likely we haven't seen the last of this family yet.