Do on-demand scanners use only definitions for scanning when offline?

Discussion in 'Security Discussions' started by HarborFront, Mar 20, 2017 at 8:05 PM.

  1. HarborFront

    HarborFront Level 14

    Joined:
    Oct 9, 2016
    Messages:
    694
    Likes Received:
    1,695
    Hi

    BD (free)
    Kaspersky Security Scan
    Norton Power Eraser
    Emsisoft Emergency Kit
    Emsisoft Anti-Malware (free)
    Zemana AM (free)
    HitmanPro
    ....others

    All the above work as on-demand scanner. Zemana cannot work without an internet connection so it is useless when offline. Without internet connection HitmanPro can scan but cannot delete so making it useless as well.

    So my question is, when offline, are the balanced on-demand scanners use only definitions for scanning or will they also use their behavior blocker, sandbox etc as well?

    Thanks
     
    LanDude likes this.
  2. _CyberGhosT_

    _CyberGhosT_ Level 41
    Trusted

    Joined:
    Aug 2, 2015
    Messages:
    3,067
    Likes Received:
    19,808
    OS:
    Linux Mint
    AV:
    Default-Deny
    QUOTE
    Do on-demand scanners use only definitions for scanning when offline
    END
    I am confused, if they are "off line" then they have to be using definitions unless there is a 3rd option I am unaware of.
    1> Sandboxes don't scan they are a containment tool
    2> BB's are for looking into a files behavior pattern. they are looking for a certain type of behavior pattern and not technically
    a scan as "scan is defined"
    Definitions are all that is used when in "Off line" mode period, by apps that support "off line" scanning.
     
    LanDude, davisd, frogboy and 4 others like this.
  3. HarborFront

    HarborFront Level 14

    Joined:
    Oct 9, 2016
    Messages:
    694
    Likes Received:
    1,695
    OK, I probably did not explain clearly.

    What I meant was do features like their sandbox, bb etc. work offline as well to help in malware detection/containment besides using definitions for scanning?

    Like BD free it comes with its BB and sandbox. So do they work as well or BD free just operate solely using its definitions when offline? How about Avast AV free's hardened mode and cyber capture? Do they function when offline too? How about Emsisoft's BB? Does it work when offline too?

    Thanks
     
    _CyberGhosT_ likes this.
  4. _CyberGhosT_

    _CyberGhosT_ Level 41
    Trusted

    Joined:
    Aug 2, 2015
    Messages:
    3,067
    Likes Received:
    19,808
    OS:
    Linux Mint
    AV:
    Default-Deny
    Thats better,
    I can't speak for the rest, but Emsisoft's BB works off line for sure.
    I would imagine the same goes for the rest, but I can't swear to it because I don't
    use those, or have much experience with them.
    There are many here that could answer for the rest though.
     
    davisd, Parsh, frogboy and 1 other person like this.
  5. HarborFront

    HarborFront Level 14

    Joined:
    Oct 9, 2016
    Messages:
    694
    Likes Received:
    1,695
    Does Emsisoft Emergency Kit comes with BB? I thought you install it (like Kaspersky Security Scan, Norton Power Eraser etc) on a USB stick and scan the drive on-demand? If this is the use then what is the BB for?

    Thanks
     
  6. Parsh

    Parsh Level 8

    Joined:
    Dec 27, 2016
    Messages:
    391
    Likes Received:
    2,492
    OS:
    Windows 10
    AV:
    Kaspersky
    EEK does not come packed with a BB because it's not a real-time security tool. It's only for on-demand scans using their dual-engine definitions.
     
  7. Winter Soldier

    Winter Soldier Level 8

    Joined:
    Feb 13, 2017
    Messages:
    389
    Likes Received:
    1,983
    OS:
    Windows 10
    AV:
    Emsisoft
    Regarding the scanners, I think most of them are in need of a data exchange with the cloud for a better efficiency, but I can't be more precise about.
    The behavioral block is designed to catch the malware requests, the mal-code may be identified regardless of how skilled the malcoder is, in to obfuscate his code, or how intricate and incomprehensible can appear its logic.

    Behavior blocking systems can use policy and every time a program launches a request to the operating system, the BB intercepts the request, consults the policy and decides whether to block the request.
    But BB engine uses also entire classes of malicious code and their behavior in order to define what behaviors you want to block. In this way, potentially dangerous behaviors should be blocked. For example, 90% of malware tries to access the file system and therefore it is possible to define a detection that occurs when some code tries to access the file system.
    BB algorithm can work also offline as @_CyberGhosT_ says about Emsisoft.
    But it is necessary to add that patterns have to be constantly updated as well as the malware behavior update itself.
    At the end of the day, in my opinion, you get the best results with an active internet connection.
    EEK is just a scanner, I don't think it uses BB that works when you run the malware.
     
  8. Parsh

    Parsh Level 8

    Joined:
    Dec 27, 2016
    Messages:
    391
    Likes Received:
    2,492
    OS:
    Windows 10
    AV:
    Kaspersky
    Appreciable explanations!
    You've covered most of the knowledge a user should have about the functions and limitations of the product from the dev's perspective.
    Rules and policies based on tons of already discovered malware patterns, access locations and their action sequences, timing and connections etc. need to be updated regularly to well complement their engines for continuous evolution of protection methods.
    Cloud definitely aids the above with near realtime updates related to newer detections and procedures the offline product may not be able to handle.
     
  9. HarborFront

    HarborFront Level 14

    Joined:
    Oct 9, 2016
    Messages:
    694
    Likes Received:
    1,695
    Hi

    First, I just need to know whether the mentioned on-demand scanners have or don't have the BB/HIPS/SB etc features in the first place. Second, whether such features work or don't work when offline?

    So EEK, Kaspersky Security Scan and Norton Power Eraser etc do NOT use their BB/HIPS/SB etc when offline, right? In the first place does the aforementioned on-demand scanners have BB/HIPS/SB etc so that they (on-demand scanners) can capitalize on their cloud when online?

    And BD free, EAM free and Avast AV free 's BB/SB/hardened mode (whichever they have) works offline?

    I think Avast AV free's cyber capture and BD free's SB need internet to work, right?

    Can somebody be more concrete on the answers?

    Thanks
     
  10. Parsh

    Parsh Level 8

    Joined:
    Dec 27, 2016
    Messages:
    391
    Likes Received:
    2,492
    OS:
    Windows 10
    AV:
    Kaspersky
    EEK, Kaspersky Security Scan and Norton Power Eraser do not have any HIPS/SB/BB.

    If by EAM, you are referring to Emsisoft, they have no free Anti-malware product except EEK (on-demand scanner) you earlier mentioned.
    BD free works offline but does use cloud for consulting status of applications. Refer the quote near the end of this post.
    Avast Hardened mode (Moderate) automatically blocks files that are detected as suspicious by preliminary analysis, without further passing it for Deepscreen. The Hardened mode (Aggressive) consults their cloud whitelist of files (thus using internet) and blocks files unknown or marked as bad.
    Regarding EEK, we've already discussed that its an on-demand scanner that uses Internet for updation only (skipping EAM since it's not free).

    Here's what the BD free FAQs say about Internet connectivity:
    As far as Avast CyberCaputre is concerned, this infographic says it all.
    Suspicious files are blocked, submitted to Avast cloud for analysis and results are out, thus needing an Internet connection.

    nitro_cyber_capture_infographics_EN.png
     
  11. Winter Soldier

    Winter Soldier Level 8

    Joined:
    Feb 13, 2017
    Messages:
    389
    Likes Received:
    1,983
    OS:
    Windows 10
    AV:
    Emsisoft
    Thanks @Parsh for pointing out and couldn't agree more :)
     
    Parsh likes this.
  12. Parsh

    Parsh Level 8

    Joined:
    Dec 27, 2016
    Messages:
    391
    Likes Received:
    2,492
    OS:
    Windows 10
    AV:
    Kaspersky
    You're welcome :)
    I'd read on some forum that BD free uses Internet for some behavioral consulting and the FAQs answer hint towards that.
    Regarding Avast, @RejZoR has well explained different modes and functioning over here, Avast forum and Wilderssecurity. He can elaborate or correct any blurred points here!
     
    Winter Soldier likes this.
  13. Winter Soldier

    Winter Soldier Level 8

    Joined:
    Feb 13, 2017
    Messages:
    389
    Likes Received:
    1,983
    OS:
    Windows 10
    AV:
    Emsisoft
    Excellent explanation in your post :)
    Indeed, I believe by now, most of the security products have a good part of the engine remotely.
    Just if you have connection problems and infected computer, you can also use for example Kaspersky Rescue Disk to scan, disinfect and restore the infected OS as an emergency solution.
     
    Parsh likes this.
  14. WinXPert

    WinXPert Level 21
    Trusted

    Joined:
    Jan 9, 2013
    Messages:
    1,093
    Likes Received:
    2,904
    OS:
    Windows 7
    AV:
    Emsisoft
    For those familiar with Avira PC Cleaner, once you have launched it, the program will download the necessary files plus updated signature database for it to run. In case you run it again without net, it won't be able to update the signatures prior to scanning but will use the sigs saved in your HDD or USB drive.
     
    Winter Soldier likes this.
  15. HarborFront

    HarborFront Level 14

    Joined:
    Oct 9, 2016
    Messages:
    694
    Likes Received:
    1,695
    I believe after the trial of the Emsisoft Anti-Malware is over it becomes a free version i.e. without real-time protection. I maybe wrong

    Thanks
     
    Parsh likes this.
  16. Winter Soldier

    Winter Soldier Level 8

    Joined:
    Feb 13, 2017
    Messages:
    389
    Likes Received:
    1,983
    OS:
    Windows 10
    AV:
    Emsisoft
    Yes it does.
     
    Parsh likes this.
  17. Parsh

    Parsh Level 8

    Joined:
    Dec 27, 2016
    Messages:
    391
    Likes Received:
    2,492
    OS:
    Windows 10
    AV:
    Kaspersky
    Yes, it can be kept as an on-demand scanner after the trial expires and that has a benefit of added contextual scan option in Win Explorer.
    But there's an issue here I would like to warn about. Even in its free version mode, EAM's 'a2service.exe' (apparently) may cause conflict, if there is another AV installed on the same system (of course there will be a RealTime AV)(for me it was Kaspersky) when launching various executables on your computer.
    Screenshot (155).png
    I faced this issue. I changed the status of a2service to 'trusted' mode in KIS but this didn't solve the problem. I was unable to even launch the uninstaller using normal procedures and I had to use an App Remover for special cleaning.
    It may or may not result in conflicts depending on your RT AV. Kaspersky is well known to cause incompatibilities with other security components but this conflict can be true for more AVs out there.
     
    HarborFront likes this.
  18. RejZoR

    RejZoR Level 6

    Joined:
    Nov 26, 2016
    Messages:
    250
    Likes Received:
    1,169
    OS:
    Windows 10
    AV:
    Avast
    Things that universally work offline:
    - traditional "static" signatures
    - file heuristics, static or dynamic through code emulator
    - behavior blockers (Behavior Shield, Active Virus Control, System Watcher etc)
    - algorithm based "heuristic" signatures (like avast!'s Evo-Gen)
    - HIPS

    They will however lack additional checks like queries to whitelist to check on false positives, meaning you will actually have slightly more aggressive protection during offline time.
     
Loading...
Other threads that you may like Forum Date
Q&A The best on-demand scanners that allow user choice before deleting things? Security Discussions Jan 18, 2017
Poll Are on-demand scanners becoming obsolete? Security Discussions Jan 1, 2017
Video Review On-Demand Scanners Review 2015 Video Reviews Aug 3, 2015