Do you still have the files as they are detected? I would suggest sending them in to the labs as a sample for more info. They can tell you when they were detected and how. It could be that originally they may have been picked up a run time using HIPS/live protection and if they weren't actually run just dropped these methods wouldn't have had a chance to convict the files. Maybe later more generic detection was added that could detect them statically hence the later detection. Also, on-access scans don't have scan inside archives so they wouldn't be picked up at run-time unless unpacked if they are archive files. Scheduled scans are more likely to have scan inside archives so could pick them up. Regards, Jak
↧