Rob MacGregor wrote:
1) You'd need to decode the packet contents on the fly 2) Anything running over 1 packet would never be spotted
Just wondering how far a signature can go? Does the scanner needs to go back and forth in a file for scanning or can it scan a stream as it passes by? How far does it needs to go if it has to go backwards? What about zip files? Do they need to be unzipped before scanning ?
The idea is to have a small packet queue where last n packets are stored, scanned and then transmitted in a cyclic fashion. ie first n-1 packets will just gets queued, when the nth packet arrives, the queue is scanned, and 1st packet is released and nth packets is appended to the queue. This process is repeated for every packet.
Now don't flame me about performance, I just want to know if such an arrangement will catch all virus in that stream or if some virus will get past this. What I just looking if such a thing is ever possible (as opposed to feasible) The aim is to catch malware that comes via a random tcp connection, like some sort of p2p application.
raj _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
