Virus Scanners work both by checking for the attributes listed by steve, as well as the checksums of the virus, the individual code made by compiling the code.
As to Matthews question, I find that one of the best scanners out there is Sophos Anti-Virus. This has both a Check on Demand feature, as well as a realtime file scanner (Interchk) What this does (Especially on a network) is scan a file as soon as it is opened by a program. Also, interchk can tie into Mail Virus programs and Content filters (One noteable example being MimeSweeper by content technologies) Sophos also has excellent customer support in terms of ASA (As Soon As) notification of viruses via email lists, and Interim updates, (Kind of like Snap Ins until the next monthly CD comes out) I have never really used Norton so I can't especially comment on the "Greatness" of it. HTH Andrew Jones. > -----Original Message----- > From: Matthew J. Landheim [SMTP:[EMAIL PROTECTED]] > Sent: 02 February 2002 19:46 > To: [EMAIL PROTECTED] > Subject: Re: Virus Scanners > > Is Norton an "excellent" virus scanner these days? I haven't been > following the scene for a few years, but it seems like the Norton > scanner was more of a toy than a tool a few years back; if you wanted > a good scanner in those days, you went with F-Secure > (www.datafellows.com), which had the best (if not the only) heuristic > engine at the time and a very good dictionary. Who makes good scanners > these days, and what makes them so good? > > --Matt Landheim > > Wednesday, January 30, 2002, 7:17:00 PM, you wrote: > > > Hi all, > > > My question for today is How Do Virus Scanners work ? I mean the really > > excellent scanners like Sophos and Norton, amongst others. > > > I mean, they do check for signatures of a Virus identity ? But what > method ? > > I can think of a few possibilities to make my question clearer .... > > > 1. Scan for size of file, or header of file, or structure of file > (probably > > not) > > 2. Scan for include files and include library, and procedures ? > > 3. Scan for the sequence at which a file executes, for eg, getting > > addresses, then open socket, connect to SMTP ? > > 4. Scan for standard declared texts ? eg. Subject db "Credit Card > details",0 > > > Question begs to be asked, if updated Virus identities files are > 'modified', > > can it become a threat to the Virus programs, since they mostly run with > > SYSTEM privileges ? How is this prevented ? > > > Thanks in advance, I am very curious. > > > regards > > > Steve > > > > note : One of our readers have a virus, it was sent to those who > responded > > to the WAN/LAN Remote Management thread. I dont know who it is as the > return > > path is altered, it had a ".mp3.pif" extension with no malicious > payload.
