have 2 questions,

suppose i use cis to run a full scan of my computer,would the whole process of full scan include scaning mbr?and how about the realtime protection?(suppose my computer was infected with a mbr virus,would cis detect it through realtime protection???)

I’ll tell you right off the bat: real-time scan will not intercept MBR infection. I don’t know if full scan looks at the MBR. Would seem to be a very robust AV if it didn’t though; a lot of bugs live there.

However, once the system boots, CIS is loaded fairly early in the boot process and begins to watch what’s being loaded during boot (HIPS and FW come into play very early on). One of the CIS AV options is to scan memory at start. It either recognizes the image by specific hash attributable to an entry in the whitelist or not. If if not, that image gets sandboxed and an alert appears. The only way that’s escaping detection is if the system is infected with a rootkit. Those are nasty and give IT security wonds - Comdo employs at least one at least part-time for at least 1/2 a sheckel or two over minimum wage (I’m sure) - nightmares.

Once the system is running, real-time scanning, either on access or stateful, every time a file is accessed for either modification or execution is examined for malware; stateful only does that the first time any file is accessed after AV def update. The thinking there is that for the file to change after its been checked is something needs to access it, and to do so something needs permissions to do so. If the rule doesn’t exist: an alert is generated.

One way that can occur is forged digital signatures. Virtually every AV product on the market relies on those. The first line of defense in the infection process is robust HIPS, sophisticated heuristics, i.e., learning, behavior analysis in conjunction with real-time cloud analysis of unknown memory image.