Hi all, My question for today is How Do Virus Scanners work ? I mean the really excellent scanners like Sophos and Norton, amongst others.
I mean, they do check for signatures of a Virus identity ? But what method ? I can think of a few possibilities to make my question clearer .... 1. Scan for size of file, or header of file, or structure of file (probably not) 2. Scan for include files and include library, and procedures ? 3. Scan for the sequence at which a file executes, for eg, getting addresses, then open socket, connect to SMTP ? 4. Scan for standard declared texts ? eg. Subject db "Credit Card details",0 Question begs to be asked, if updated Virus identities files are 'modified', can it become a threat to the Virus programs, since they mostly run with SYSTEM privileges ? How is this prevented ? Thanks in advance, I am very curious. regards Steve note : One of our readers have a virus, it was sent to those who responded to the WAN/LAN Remote Management thread. I dont know who it is as the return path is altered, it had a ".mp3.pif" extension with no malicious payload.
