All geek questions in one place

Real time monitoring technique

The best-known AntiVirus software has a real-time monitoring feature, which means that it can scan files before they are available or executed. How can such a method be implemented? There is something in .NET called filewatcher I don’t know if this is the same idea that is used in AntiVirus.

+4
source share
2 answers

Typically, antivirus software installs a filter driver that connects to a file system driver in the Windows kernel. Thus, all requests to the file file are first delivered to the filter, which then determines whether the request should be forwarded or rejected.

Please note that connecting the Windows API or any other API in user mode is usually not enough, as malicious software can always directly access the kernel, bypassing the connected API.

+6
source

Function Binding (Win) API is a common solution for such tasks, but I believe that this is just the tip of the iceberg. This is not much said in the wiki ( Detection subsection). Thus, you need to learn how to intercept API functions and internal components of Windows in general. I would suggest Windows through C ++ as a good starting point to solve this global problem.

+1
source

Source: https://habr.com/ru/post/1379760/

More articles:


All Articles