|Sign In | Register|
|ThreatExpert Memory Scanner|
ThreatExpert Memory Scanner (TEMS) is a prototype product developed by the ThreatExpert team.
TEMS provides a "post-mortem" diagnostic to detect a range of high-profile threats that may be active in different regions of a computer’s memory. This tool is designed to assist in answering a common question asked by many customers whose systems have been infected by a threat: "Is my system still infected?"
Sometimes threats may potentially slip under the radar of conventional malware scanners by engaging in stealth techniques to hide their presence on a PC. Often, in such a scenario, the original threat file is encrypted with polymorphic encryptors which rely on anti-debugging and anti-emulation techniques, presenting a challenging task for malware scanners attempting to detect it. Such techniques are used by threat families including Citwail/Pandex/DieHard, Storm, Mailbot/Rustock and some others.
However, when such a threat is loaded in memory, it needs to decrypt its own malicious code, completely or partially, or it is unable to run. This is where TEMS comes in; by using advanced techniques it is able to detect traces of these threats in memory and alert you of their existence.
NOTE: ThreatExpert Memory Scanner provides detection of threats that are already active on a client’s computer system. It does NOT provide you with any ongoing protection and does it replace conventional anti-virus or anti-spyware products.
In the current beta release, the Memory Scanner does not attempt to remove any detected threats.
If the scanner is capable of locating a file linked to the offensive memory module, you may submit that file by using a stand-alone ThreatExpert Submission Applet.
ThreatExpert will then perform detailed analysis of the threat and builds a comprehensive report that describes any detected malicious behavior. A report is submitted to you via email and a copy of it is posted online.
In certain cases, when a threat injects malicious code into a legitimate process, the Memory Scanner may be unable to locate the malicious module(s) responsible for such code injection. Nevertheless, it should still be able to detect the injected malicious code and inform you if your computer is compromised or not.