Why use extra non-resident scanners?

[polonus]

Hi forum folks,

It is relatively easy to transform a widely spread trojan into a "stealth" one, that cannot be detected by an AV scanner. This is no "underground secret" anymore. Look here for the explanation, why this is so: http://home.arcor.de/scheinsicherheit/example.htm So note your scanners weaknesses. Use one resident scanner only, but use additional non-resident scanners, even when a software developer tells you otherwise. I use Avast + ClamWin + Bitdefender on-line scan + DrWebCureit + DrWeb pre-hyperlink scanner plug-in + stinger.exe. In case of doubt I update a suspicious file to either Jotti or Virustotal.

greets,

polonus

[DavidR]

Very interesting reading or should that be disturbing reading.

I think this note is very relevant.

Note: Usually, only AV/AT scanners that feature an unpacking engine or a similar efficient technology can reliably detect compressed or crypted trojans.

I believe that avast has one of the better supported list of unpackers?

Whilst I'm unsure how we get around encrypted viruses, but an encrypted virus has to also have something to decrypt it and in its decrypted form in memory or otherwise, perhaps it can be detected.

[TAP]

I've used ewido anti-malware along side with avast! and this combo scanner gives me a very good result, ewido has found some malware (especially from P2P and underground site) that avast! missed from time to time and I've sent them to Alwil lab.

[polonus]

Hi DavidR and Tap,

At the start of this thread : http://forum.kaspersky.com/index.php?showtopic=3349 you can read why advanced mem scanning should come to AV scanners as soon as possible. Here is additional information to better understand the backgrounds: http://www.securityfocus.com/infocus/1637

polonus