Skip to content

A full antivirus scan came back clean — does that prove the machine isn't compromised?

Short answer

No. Antivirus is one signal, not proof. It misses fileless and in-memory attacks, brand-new or obfuscated samples, living-off-the-land abuse of legitimate tools, and rootkits built to hide from it. Absence of evidence is not evidence of absence — real assurance comes from EDR telemetry, memory forensics, behavioral analysis, and IOC hunting. Treating a clean AV scan as proof of a clean system is a classic incident-response mistake.

The reassuring word "clean" does a lot of work here. People hear it as "verified safe," but an antivirus scan answers a much narrower question: "did any file match a known-bad pattern?" A no isn't a guarantee — it's the absence of one specific kind of evidence.

What AV can and can't see

Signature-based and even heuristic AV is fundamentally built to inspect files on disk. That makes whole categories of modern attacks structurally hard or impossible for it to catch:

  • Fileless / in-memory — malicious code that runs only in RAM (reflective loaders, injected shellcode) never lands a file to scan.
  • Novel or zero-day — a sample with no existing signature simply isn't recognized.
  • Obfuscated / packed — recompiling or packing changes the hash and defeats naive matching.
  • Living-off-the-land (LOLBins) — abuse of legitimate, signed tools like PowerShell, certutil, or wmic; there's no malicious file, just malicious use.
  • Rootkits / kernel implants — designed specifically to hide from the very scanner asking the question.

Absence of evidence ≠ evidence of absence

This is the core epistemic point in incident response. A clean scan tells you AV didn't find anything it knows how to find. It cannot tell you nothing is there. Treating "no detection" as "no compromise" is exactly how dwell time stretches into months — the attacker is quiet because they're good, not because they're gone.

What real assurance looks like

To actually raise confidence a host is clean, you layer signals AV can't provide:

  • EDR telemetry — process trees, command lines, parent-child anomalies, network connections.
  • Memory forensics — capturing and analyzing RAM for injected code and unbacked executable regions.
  • Behavioral analysis and IOA matching — spotting behavior rather than known files.
  • IOC and threat hunting — proactively searching for known indicators and anomalies across the fleet.

The interview takeaway

The strong answer names specific evasions (fileless, LOLBins, rootkits) and says assurance comes from behavioral telemetry and forensics, not a signature pass. Declaring a host clean on AV alone is a textbook IR error.

Likely follow-ups

  • Which attack classes are structurally invisible to signature-based scanning?
  • What telemetry would raise your confidence that a host is actually clean?
  • Why is 'absence of evidence is not evidence of absence' central to incident response?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.