Experts,
I was trying to start my own hobby Antivirus project for Windows. Those who
follow this list regularly, might remember that this is not my first project
in the Windows Kernel. I have worked on some file system filters before,
however, as I was always curious about viruses I decided to entertain myself
a bit.
One holy soul told me there are two ways by which real time scanning can be
achieved.
I could be to write an user land service, and send the file name to that
service from the driver and scan it there.
The other would be to load the defs in the kernel mode itself and scan it
there.
I see some distinct advantages of option 1. Debugging a user level library
would be easier. Maintaining it is easier. If I define the interfaces
properly, then the implementation changes can be easily mased off in the
design.
Great, but I really want to know the REAL nitty grities of antivirus. IF
some of you, who have worked in AV technologies can guide me as to the
better approach here (of these two, or even annother appproach I never
thought of), I would be obliged.
Hopeing to hear from you…
–
- amitr0