Do on-demand scanners use only definitions for scanning when offline?

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Hi

BD (free)
Kaspersky Security Scan
Norton Power Eraser
Emsisoft Emergency Kit
Emsisoft Anti-Malware (free)
Zemana AM (free)
HitmanPro
....others

All the above work as on-demand scanner. Zemana cannot work without an internet connection so it is useless when offline. Without internet connection HitmanPro can scan but cannot delete so making it useless as well.

So my question is, when offline, are the balanced on-demand scanners use only definitions for scanning or will they also use their behavior blocker, sandbox etc as well?

Thanks
 
  • Like
Reactions: Rengar

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
QUOTE
Do on-demand scanners use only definitions for scanning when offline
END
I am confused, if they are "off line" then they have to be using definitions unless there is a 3rd option I am unaware of.
1> Sandboxes don't scan they are a containment tool
2> BB's are for looking into a files behavior pattern. they are looking for a certain type of behavior pattern and not technically
a scan as "scan is defined"
Definitions are all that is used when in "Off line" mode period, by apps that support "off line" scanning.
 

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
QUOTE
Do on-demand scanners use only definitions for scanning when offline
END
I am confused, if they are "off line" then they have to be using definitions unless there is a 3rd option I am unaware of.
1> Sandboxes don't scan they are a containment tool
2> BB's are for looking into a files behavior pattern. they are looking for a certain type of behavior pattern and not technically
a scan as "scan is defined"
Definitions are all that is used when in "Off line" mode period, by apps that support "off line" scanning.
OK, I probably did not explain clearly.

What I meant was do features like their sandbox, bb etc. work offline as well to help in malware detection/containment besides using definitions for scanning?

Like BD free it comes with its BB and sandbox. So do they work as well or BD free just operate solely using its definitions when offline? How about Avast AV free's hardened mode and cyber capture? Do they function when offline too? How about Emsisoft's BB? Does it work when offline too?

Thanks
 
  • Like
Reactions: _CyberGhosT_

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Thats better,
I can't speak for the rest, but Emsisoft's BB works off line for sure.
I would imagine the same goes for the rest, but I can't swear to it because I don't
use those, or have much experience with them.
There are many here that could answer for the rest though.
 

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Thats better,
I can't speak for the rest, but Emsisoft's BB works off line for sure.
I would imagine the same goes for the rest, but I can't swear to it because I don't
use those, or have much experience with them.
There are many here that could answer for the rest though.
Does Emsisoft Emergency Kit comes with BB? I thought you install it (like Kaspersky Security Scan, Norton Power Eraser etc) on a USB stick and scan the drive on-demand? If this is the use then what is the BB for?

Thanks
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Does Emsisoft Emergency Kit comes with BB? I thought you install it (like Kaspersky Security Scan, Norton Power Eraser etc) on a USB stick and scan the drive on-demand? If this is the use then what is the BB for?

Thanks
EEK does not come packed with a BB because it's not a real-time security tool. It's only for on-demand scans using their dual-engine definitions.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Regarding the scanners, I think most of them are in need of a data exchange with the cloud for a better efficiency, but I can't be more precise about.
The behavioral block is designed to catch the malware requests, the mal-code may be identified regardless of how skilled the malcoder is, in to obfuscate his code, or how intricate and incomprehensible can appear its logic.

Behavior blocking systems can use policy and every time a program launches a request to the operating system, the BB intercepts the request, consults the policy and decides whether to block the request.
But BB engine uses also entire classes of malicious code and their behavior in order to define what behaviors you want to block. In this way, potentially dangerous behaviors should be blocked. For example, 90% of malware tries to access the file system and therefore it is possible to define a detection that occurs when some code tries to access the file system.
BB algorithm can work also offline as @_CyberGhosT_ says about Emsisoft.
But it is necessary to add that patterns have to be constantly updated as well as the malware behavior update itself.
At the end of the day, in my opinion, you get the best results with an active internet connection.
Does Emsisoft Emergency Kit comes with BB? I thought you install it (like Kaspersky Security Scan, Norton Power Eraser etc) on a USB stick and scan the drive on-demand? If this is the use then what is the BB for?

Thanks
EEK is just a scanner, I don't think it uses BB that works when you run the malware.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
The behavioral block is designed to catch the malware requests, the mal-code may be identified regardless of how skilled the malcoder is, in to obfuscate his code, or how intricate and incomprehensible can appear its logic.

Behavior blocking systems can use policy and every time a program launches a request to the operating system, the BB intercepts the request, consults the policy and decides whether to block the request.
But BB engine uses also entire classes of malicious code and their behavior in order to define what behaviors you want to block. In this way, potentially dangerous behaviors should be blocked. For example, 90% of malware tries to access the file system and therefore it is possible to define a detection that occurs when some code tries to access the file system.
BB algorithm can work also offline as @_CyberGhosT_ says about Emsisoft.
But it is necessary to add that patterns have to be constantly updated as well as the malware behavior update itself.
At the end of the day, in my opinion, you get the best results with an active internet connection
Appreciable explanations!
You've covered most of the knowledge a user should have about the functions and limitations of the product from the dev's perspective.
Rules and policies based on tons of already discovered malware patterns, access locations and their action sequences, timing and connections etc. need to be updated regularly to well complement their engines for continuous evolution of protection methods.
Cloud definitely aids the above with near realtime updates related to newer detections and procedures the offline product may not be able to handle.
 

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Regarding the scanners, I think most of them are in need of a data exchange with the cloud for a better efficiency, but I can't be more precise about.
The behavioral block is designed to catch the malware requests, the mal-code may be identified regardless of how skilled the malcoder is, in to obfuscate his code, or how intricate and incomprehensible can appear its logic.

Behavior blocking systems can use policy and every time a program launches a request to the operating system, the BB intercepts the request, consults the policy and decides whether to block the request.
But BB engine uses also entire classes of malicious code and their behavior in order to define what behaviors you want to block. In this way, potentially dangerous behaviors should be blocked. For example, 90% of malware tries to access the file system and therefore it is possible to define a detection that occurs when some code tries to access the file system.
BB algorithm can work also offline as @_CyberGhosT_ says about Emsisoft.
But it is necessary to add that patterns have to be constantly updated as well as the malware behavior update itself.
At the end of the day, in my opinion, you get the best results with an active internet connection.

EEK is just a scanner, I don't think it uses BB that works when you run the malware.

Hi

First, I just need to know whether the mentioned on-demand scanners have or don't have the BB/HIPS/SB etc features in the first place. Second, whether such features work or don't work when offline?

So EEK, Kaspersky Security Scan and Norton Power Eraser etc do NOT use their BB/HIPS/SB etc when offline, right? In the first place does the aforementioned on-demand scanners have BB/HIPS/SB etc so that they (on-demand scanners) can capitalize on their cloud when online?

And BD free, EAM free and Avast AV free 's BB/SB/hardened mode (whichever they have) works offline?

I think Avast AV free's cyber capture and BD free's SB need internet to work, right?

Can somebody be more concrete on the answers?

Thanks
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
First, I just need to know whether the mentioned on-demand scanners have or don't have the BB/HIPS/SB etc features in the first place. Second, whether such features work or don't work when offline?

So EEK, Kaspersky Security Scan and Norton Power Eraser etc do NOT use their BB/HIPS/SB etc when offline, right? In the first place does the aforementioned on-demand scanners have BB/HIPS/SB etc so that they (on-demand scanners) can capitalize on their cloud when online?
EEK, Kaspersky Security Scan and Norton Power Eraser do not have any HIPS/SB/BB.

BD free, EAM free and Avast AV free 's BB/SB/hardened mode (whichever they have) works offline?
If by EAM, you are referring to Emsisoft, they have no free Anti-malware product except EEK (on-demand scanner) you earlier mentioned.
BD free works offline but does use cloud for consulting status of applications. Refer the quote near the end of this post.
Avast Hardened mode (Moderate) automatically blocks files that are detected as suspicious by preliminary analysis, without further passing it for Deepscreen. The Hardened mode (Aggressive) consults their cloud whitelist of files (thus using internet) and blocks files unknown or marked as bad.
Regarding EEK, we've already discussed that its an on-demand scanner that uses Internet for updation only (skipping EAM since it's not free).

I think Avast AV free's cyber capture and BD free's SB need internet to work, right?
Here's what the BD free FAQs say about Internet connectivity:
FAQ Answer - The application needs to communicate with Bitdefender servers in order to determine the security status of the applications it scans and of the web pages you are visiting.
As far as Avast CyberCaputre is concerned, this infographic says it all.
Suspicious files are blocked, submitted to Avast cloud for analysis and results are out, thus needing an Internet connection.

nitro_cyber_capture_infographics_EN.png
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
EEK, Kaspersky Security Scan and Norton Power Eraser do not have any HIPS/SB/BB.


If by EAM, you are referring to Emsisoft, they have no free Anti-malware product except EEK (on-demand scanner) you earlier mentioned.
BD free works offline but does use cloud for consulting status of applications. Refer the quote near the end of this post.
Avast Hardened mode (Moderate) automatically blocks files that are detected as suspicious by preliminary analysis, without further passing it for Deepscreen. The Hardened mode (Aggressive) consults their cloud whitelist of files (thus using internet) and blocks files unknown or marked as bad.
Regarding EEK, we've already discussed that its an on-demand scanner that uses Internet for updation only (skipping EAM since it's not free).


Here's what the BD free FAQs say about Internet connectivity:

As far as Avast CyberCaputre is concerned, this infographic says it all.
Suspicious files are blocked, submitted to Avast cloud for analysis and results are out, thus needing an Internet connection.

Thanks @Parsh for pointing out and couldn't agree more :)
 
  • Like
Reactions: Parsh

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Thanks @Parsh for pointing out and couldn't agree more :)
You're welcome :)
I'd read on some forum that BD free uses Internet for some behavioral consulting and the FAQs answer hint towards that.
Regarding Avast, @RejZoR has well explained different modes and functioning over here, Avast forum and Wilderssecurity. He can elaborate or correct any blurred points here!
 
  • Like
Reactions: Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
You're welcome :)
I'd read on some forum that BD free uses Internet for some behavioral consulting and the FAQs answer hint towards that.
Regarding Avast, @RejZoR has well explained different modes and functioning over here, Avast forum and Wilderssecurity. He can elaborate or correct any blurred points here!
Excellent explanation in your post :)
Indeed, I believe by now, most of the security products have a good part of the engine remotely.
Just if you have connection problems and infected computer, you can also use for example Kaspersky Rescue Disk to scan, disinfect and restore the infected OS as an emergency solution.
 
  • Like
Reactions: Parsh

WinXPert

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Jan 9, 2013
1,457
For those familiar with Avira PC Cleaner, once you have launched it, the program will download the necessary files plus updated signature database for it to run. In case you run it again without net, it won't be able to update the signatures prior to scanning but will use the sigs saved in your HDD or USB drive.
 
  • Like
Reactions: Winter Soldier

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
EEK, Kaspersky Security Scan and Norton Power Eraser do not have any HIPS/SB/BB.


If by EAM, you are referring to Emsisoft, they have no free Anti-malware product except EEK (on-demand scanner) you earlier mentioned.
BD free works offline but does use cloud for consulting status of applications. Refer the quote near the end of this post.
Avast Hardened mode (Moderate) automatically blocks files that are detected as suspicious by preliminary analysis, without further passing it for Deepscreen. The Hardened mode (Aggressive) consults their cloud whitelist of files (thus using internet) and blocks files unknown or marked as bad.
Regarding EEK, we've already discussed that its an on-demand scanner that uses Internet for updation only (skipping EAM since it's not free).


Here's what the BD free FAQs say about Internet connectivity:

As far as Avast CyberCaputre is concerned, this infographic says it all.
Suspicious files are blocked, submitted to Avast cloud for analysis and results are out, thus needing an Internet connection.


I believe after the trial of the Emsisoft Anti-Malware is over it becomes a free version i.e. without real-time protection. I maybe wrong

Thanks
 
  • Like
Reactions: Parsh

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
I believe after the trial of the Emsisoft Anti-Malware is over it becomes a free version i.e. without real-time protection. I maybe wrong
Thanks
Yes, it can be kept as an on-demand scanner after the trial expires and that has a benefit of added contextual scan option in Win Explorer.
But there's an issue here I would like to warn about. Even in its free version mode, EAM's 'a2service.exe' (apparently) may cause conflict, if there is another AV installed on the same system (of course there will be a RealTime AV)(for me it was Kaspersky) when launching various executables on your computer.
Screenshot (155).png
I faced this issue. I changed the status of a2service to 'trusted' mode in KIS but this didn't solve the problem. I was unable to even launch the uninstaller using normal procedures and I had to use an App Remover for special cleaning.
It may or may not result in conflicts depending on your RT AV. Kaspersky is well known to cause incompatibilities with other security components but this conflict can be true for more AVs out there.
 
  • Like
Reactions: HarborFront

RejZoR

Level 15
Verified
Top Poster
Well-known
Nov 26, 2016
699
Things that universally work offline:
- traditional "static" signatures
- file heuristics, static or dynamic through code emulator
- behavior blockers (Behavior Shield, Active Virus Control, System Watcher etc)
- algorithm based "heuristic" signatures (like avast!'s Evo-Gen)
- HIPS

They will however lack additional checks like queries to whitelist to check on false positives, meaning you will actually have slightly more aggressive protection during offline time.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top