Author Topic: isn't "scan created files" completely sufficient??  (Read 2720 times)

0 Members and 1 Guest are viewing this topic.

Offline Lars

  • Newbie
  • *
  • Posts: 12
isn't "scan created files" completely sufficient??
« on: December 05, 2003, 10:00:29 PM »
see subject  -- because any virus has to come from a file or must write itself to a file, even Outlooks e-mails are written to disk, so shouldn't write scanning be sufficient to suppress viri spreading or starting to become active? --does avast also scan files for virus-properties, eg. registry entries for known virus "signatures"?


what's faster? scanning before/on write or before opening? Btw. does it scan before write or after writing a file?


Lars

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11751
    • AVAST Software
Re:isn't "scan created files" completely sufficient??
« Reply #1 on: December 05, 2003, 10:29:36 PM »
Your last question is the key one. The scan is performed after the write (in fact, it's performed when the file is closed). Therefore, catching the virus by this kind of scan is sort of "too late", since the file is already infected.

Unfortunatelly, it's not possible to change. Imagine that a virus is infecting the file in multiple steps - each time writing only a part of it's body. Scanning the file after every write (it could be writen byte by byte!) could be very slow. But even if it were done this way - the file may not be detected as infected during the first write; it could be detected after a number of writes... and at this point, the file is already damaged (it's questionable, but it may be better if the file is infected "completely" and "working", instead of incompletely and useless).

Btw, true worms (based on network protocol buffer overflows) don't need to be written to disk to activate; but that's out of the scope of an antivirus anyway (you need a firewall to prevent this kind of attack).

Offline Lars

  • Newbie
  • *
  • Posts: 12
Re:isn't "scan created files" completely sufficient??
« Reply #2 on: December 06, 2003, 03:04:24 PM »
ah, thanks for clearing this up!!