Re: [BULK] - Re: AV Article

NTDEV
1

Hi Mesdaq,

If you find this article, could you pls send the link of it to me? I’m also
interested in such topics.

Thanks in advance.

Regards,
Ray Yang
xxxxx@ybwork.com
----- Original Message -----
From: “Mesdaq, Ali”
To: “Windows System Software Devs Interest List”
Sent: Friday, July 09, 2004 4:39 AM
Subject: RE: [BULK] - Re: [ntdev] AV Article

Thank you very much this is great. I still wish I could find that
article I bet you would have liked it too. It covers how the AV
companies actually scan a file. Like how do they over come encryption
and other techniques av writers use to hide. It also talks about how
when AV first started people were saying it would be impossible to
create detection mechanisms and to actually implement them in the real
world would completely over load a machine. I am gonna keep googling and
let you know if I have found anything since you seem to be interested as
well.
Thanks

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Programmers
Society Prokash Sinha
Sent: Thursday, July 08, 2004 12:18 PM
To: Windows System Software Devs Interest List
Subject: [BULK] - Re: [ntdev] AV Article

It must be a very old posting :-). Since lately I was mucking around
w/some virus stuff ( actual dev etc >, I would recommend the following -

a) Get to the opensource Clam-AV, very very hands-on though fairly
basics
b) Make sure you understand packing of databases ( like pkzip and
others> U need it, and a crypto-enabled database it bit better
c) Cohen published quite a bit of informations and that helps too. It
also provides some benign virsuses, BIT DANGEROUS
d) Search the Trusted computing initiative of Microsoft, will find
interesting infos there too …
e) Kasperisky lab is on the top of documenting some of the weired virus,
mainly polymorphic ones …
f) If you happen to have the filter manager of IFS kit, dont forget to
read the scanner code example

Finally, one of the fairly famous company did not even change the filter
driver name filespy, bit sloopy but they are good :slight_smile:

Wish I had two months sabatical, then I could port the Clam-AV to
windows, that would be interesting, since we could use the filter
manager idea :slight_smile:

-pro


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@websense.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@ybwork.com
To unsubscribe send a blank email to xxxxx@lists.osr.com