How professional Anti-Virus products operate

Good / complete professional Anti-Virus / Anti-Spy-ware products work by safely (and in a protect-able fashion) kernel level hooking all the known operating system calls which could possibly lead to executable code being introduced to the system and scheduled to run on any CPU (Note: There are various techniques for kernel hooking, IRP filtering being a powerful control mechanism). They will analyse all incoming requests for execution and (based on both a rules base [heuristics] and on a known threat list [virus database]) then determine whether or not to allow the code to proceed to be executed (E.g. that it is non-viral or safe code).

Some products offer anti-viral features specifically focused on the operation of the product (such as Registry Manager 2008). These types of anti-viral feature use domain knowledge to identify and prevent third party programs interfering with their correct operation.

Viruses attempt to circumvent all protection mechanisms by finding a new, previously unknown or little understood methods to get their code to be executed. Therefore, all Anti-Virus programs generally only provides protection against known or well understood threats (ones which are usually avoidable anyway by understanding what your agreeing to when you allow a process high privileges). Having said that, when there is a feature of the operating system which is useful but commonly exploited, Anti-Virus solutions serve the purpose of providing a higher level control over the feature being exploited. Therefore as time move on from the date of release of an operating system an anti-virus product becomes more important as more ways and means of "taking advantage" of the changes in the OS are discovered. Also, an anti-virus is especially important if you are running an operating system which has reached the end of its "product support / update cycle" since at this point any "flaws" remaining in the operating system can only be redressed by an up to date anti-virus product.

 Return to Latest Links