Most tutorials about crypters assume that popular antiviruses don't scan programs executed directly from memory. However from what I've seen, some of them (e.g. Nod32) are able to scan RAM in search for known patterns. This makes me wonder... here's what I know:
[Malicious file] --> [Encrypter] --> [Stub + encrypted malicious file] --> [final executable]
If we run the final executable file, the Stub decrypts the malicious code, loads it to RAM and then executes it. I think that an antivirus program should detect the malicious code while it resides in RAM in an already decrypted form, waiting to be executed. Am I wrong?