Why CIS antivírus don't scan in real time files in the sandbox ?

Yeah. I will guess that he is re-enabling the real-time scanning after the sample is running in memory, and CIS is not scanning the memory.

…we will see if you are right ! :wink:

For your experience:

  1. deactivat CAV
  2. download eicar virus test and zip it with 7-zip ( free version 16 ) with SFX mode ( EXE auto extract )
  3. now activat CAV again
  4. execute new file EXE ( eicar in SFX zip ) and look …

Try adding the 7-zip extension or the extension that you are using to zip the file in the “decompress and scan archive files of extension(s):”

That’s not what I’m trying to show.

I said that the antivirus is not scanning real-time malware inside the sandbox.

It seems stateful wont scan it because the file has already been ‘seen’ when you converted it to an sfx archive, but if you set the AV to on access then it will detect upon extraction.

i can agree that !!! :-TU

No, it’s not detect !

Please, test it yourself …

  1. deactivat CAV
  2. download eicar virus test and zip it with 7-zip ( free version 16 ) with SFX mode ( EXE auto extract )
  3. now activat CAV again
  4. execute new file EXE ( eicar in SFX zip ) and look …

I did and it would only detect when AV was set to on access. But here is another sfx exe that contain malware that when you set the av to on access, each extracted file generates alerts. GitHub - mikesiko/PracticalMalwareAnalysis-Labs: Binaries for the book Practical Malware Analysis

  1. Disable AV
  2. When PracticalMalwareAnalysis-Labs.exe download completes turn off ‘Decompress and scan files of extension’ in av settings.
  3. Set AV to on access and execute PracticalMalwareAnalysis-Labs.exe in containment.
  4. Press accept and then extract.

Attached is my AV event logs, remove .txt extension.

PERFECT !!!

Now it scan sandbox in real time

Thank you very much !!!

good good good