I think every AV-Scanner is using some predictable recursive scan to search files for malware. Couldn't malware easily detect a scan and just move to an already checked location, determined by knowing which algorithms certain AV-Scanner uses ?
Is there any mechanism in place by AV-Scanners to prevent such a behaviour?
Also couldn't a rootkit remove itself during a scan, and then put itself back into place after a scan is finished ?
The main reason malware can't evade AV this way is because the on-access scanner will catch that.
From the AV point of view, malware moving to different files is the same problem as new files being created during the scan. A very simple solution is for the AV to keep track of new files being created (which includes current files being renamed). This is done by hooking the OS API or other lower level hooks.
In theory, a perfect rootkit will be invisible to an AV. To increase AV chances against rootkits, the AV starts very early in the startup sequence, it uses low level ways of communicating to the OS and hardware, and it will monitor tampering activity on itself. Also, the first stage of a scan is on active processes and system binaries. That's done especially because in-memory malware can play tricks like you mentioned.
Also bear in mind that any strange activity on the side of the malware, like moving files, jumping through the memory of different processes and using rootkit-like methods will only attract attention to it because legitimate software will not have such behaviour. A strange behaviour will be flagged by the AV heuristics and that might help to detect the malware or the binary might be uploaded to the AV servers for further analysis and cross-checking.
Some AV perform "linear search" scans whereas others do it randomly (e.g.: AVG). But hiding a virus with such a hide and seek strategy is not the best approach since it would bring too much complexity to its development. There are some categories of virus such as stealth (intercepting calls from the OS and returning bogus or invalid responses), encryption (scrambling their selves to avoid detection) or cavity (which gets embedded into a file without changing its size or format) which better deal with evasion.
The AVs work in two different ways. One is based on known patterns of previously identified viruses. The other relies on “heuristic” checking: looking for types of malicious / uncommon / unexpected systems' behaviour.
A rootkit is different from a virus since it is a type of malware that is activated before your operating system has completely booted up. Rootkits typically have privileged access to the operating system. An AV hence isn't the right weapon against rootkits.
This is entirely possible, although the virus would need to have some way of telling what the AV scanner is doing (since many run constantly, whether or not they're scanning). It'd be unreliable, especially in comparison to other techniques such as concealment of the executable.
A rootkit can completely hide itself from the infected operating system - as far as your computer is concerned, it doesn't exist. This makes it very difficult to detect them with standard antivirus applications.
