- Dec 22, 2016
- 92
Full System Scan
- Thread starter OutOfBounds
- Start date
Personally I'd only scan in safe mode if I knew there was malware on my system that couldn't be detected while scanning during a normal boot.
Does your AV use caching? If not surely this gets annoying scanning so often? (Assuming you don't do it overnight or when you're away.)
please scan my computer and remove the malware
- Feb 13, 2017
- 1,486
By starting the operating system in safe mode, the drivers are not loaded (and not even the programs that usually start up with the operating system) for which, logically, it is more easy to find any malicious code.
The scan's time is essentially the same (between normal and safe mode) so my advice is always to do the scans in safe mode.
The scan's time is essentially the same (between normal and safe mode) so my advice is always to do the scans in safe mode.
- Jun 24, 2016
- 2,400
Weird... I've heard this lots of time but i never come to a conclusion. How come it's easier to find malicious software when the driver or the autorun that executes it/allows it to run is not loaded? #Curiousity
- Feb 13, 2017
- 1,486
There are malware difficult to remove in the normal way because they are running in background and, about detection, they can interfere with the antivirus.
When malicious code is executed, in some scenarios, it might also try to kill the AV processes.
- Feb 11, 2017
- 264
Eh...sorry noob question from me.
Potentially with Drivers not loaded, can it be a chance which malware perform a check and potentially lay dormant and evade?
Sorry just thinking out loud from my tiny brain
- Jan 9, 2013
- 1,457
I always scan first in Normal mode. I only switch to Safe Mode if I can't remove the critter in Normal boot.
- Feb 13, 2017
- 1,486
A clarification, in safe mode many drivers are not loaded, but I mean drivers of some software and applications, not only related to malware.Eh...sorry noob question from me.
Potentially with Drivers not loaded, can it be a chance which malware perform a check and potentially lay dormant and evade?
Sorry just thinking out loud from my tiny brain
Trying to answer your question, malware context is extremely complex and everything is possible.
For example, because of my work, I've analyzed Stuxnet, and it was designed to harm only those systems with special requirements, while remaining totally dormant in not affected systems. In particular, the malware attacks only Siemens Step7 systems, otherwise the malware itself is designed to be inoperable.
Probably, in the same way some malware activates just secondary sub-routines, causing an infection only in certain situations.
Many malware use drivers, for example some rootkits are implemented by a kernel-mode driver that starts itself during the Windows boot process. When files and registry keys have been hidden, they may not have access to any user-mode process.
Pure rookits seem to be less frequent, but many malicious codes implement rootkits techniques in the attack surface.
In this context, the malware hooks the native core API that allow a driver to be loaded in the kernel and analyzing the Windows API it is possible to identify a call that runs native routine to load the driver into memory by running it.
Of course they there are many ways for drivers to be loaded into memory and executed.
- Jan 9, 2013
- 1,457
Aside from loading basic drivers, booting from Safe Mode prevents malwares at StartUp folders and HKLM/HKCU/.../Run from starting with Windows. However, there are a rare few that can autostart even in Safemode.
Because they are not running so no resistance when an AV/AM detects them. Same effect you have when you have successfully terminated a malware running in memory, removal is easier.
I would like to add that autorun.inf is bypassed in Safe Mode.
Patching viruses like sality and virut still run in Safe Mode.
Because they are not running so no resistance when an AV/AM detects them. Same effect you have when you have successfully terminated a malware running in memory, removal is easier.
I would like to add that autorun.inf is bypassed in Safe Mode.
Patching viruses like sality and virut still run in Safe Mode.
Last edited by a moderator:
- Dec 22, 2016
- 92
- Jan 9, 2013
- 1,457
Thanks for all your excellent helpful information.
You're welcome. Don't forget there is also a BOOT Scan.
- Apr 17, 2011
- 9,224
I currently have my computer to do a "full scan" when it's needed, i.e when it's most of the time idle. As for the the location I do it i.e if its in safe mode or not, I always do it while normally booting into Windows. Yes booting into safe mode is good to do it but half the time when it is doing a scan I always end up doing something while it's doing one.
Just boot in normal mode and scan.
I tend to scan daily on my work PC depending on the software / attachments i see that day.
I tend to scan daily on my work PC depending on the software / attachments i see that day.
