saetji
Mar 28 2004, 02:47 PM
I was wondering if anyone could explain how antiviruses scan for viruses even if you try to hide them by using packers etc.
I was under the impression they checked the first 21 bytes or so of a file(the header) to identify the programs but from the looks of it, all dos based programs have the same 21 byte header which made me a lil confused
Any help?
buzzons
Mar 28 2004, 04:12 PM
they dont just look at the header, they look for other specific strings within the exe its self, and what DLLs it calls. Some AV's also check the exe for well known start up scripts and other malliciouse code and quaranteen on that basis.
packers do a good job of destroying these snippets of code that the AV's look for, however the better AV's either detect the exe as being packed or they unpack it
and then see its a virus.
Others, moniter the exe when it goes into memory, thus it has been unpacked and is its true self once again
Buz
cross
Mar 29 2004, 03:54 PM
I just found a new Trojan scanner, thought I would share. Its called TDS-3. It's shareware, but almost fully functional. It uses different scanning techniques. I have McAfee enterprise at work, computer seemed clean, and TDS-3 found a trojan, and 3 keyloggers. At home I use Norton Internet Security 2004, which i am fond of, norton found nothing. TDS-3 found a keylogger and a trojan as well. Note that I use AdAware on both machines as well. Seems that trojans are completly different from virii, and most virii scanners WILL NOT pick up newer trojans. Hope some of you find use in this! You can find it here: hxxp://tds.diamondcs.com.au
kingvandal
Mar 29 2004, 04:26 PM
I thought (and correct me if i'm wrong) Say you zip a file and add a password to the zip file the AV scanner can NOT scan the pass protected part of zip?
Rich.
Fletcher
Mar 29 2004, 06:24 PM
| QUOTE (kingvandal @ Mar 29 2004, 04:26 PM) |
I thought (and correct me if i'm wrong) Say you zip a file and add a password to the zip file the AV scanner can NOT scan the pass protected part of zip?
Rich. |
effectively, if you protect your zip by a password you can not read, thus you can not detect a virus.
A this time, it exist a new virus by mail, the virus is in the mail and the password too. If the mail serveur is bad configured, the servers don't reject the mail ansd the user is infected.
i'm not sure but the name of the virus is W32/Bagle.n@MM
PeTePyE
Mar 30 2004, 02:55 PM
hey dunno if this shud be here but i have a problem, i have a trojan on my PC and its backdoor.prorat and i wanted to know if it was safe to delete the file its in, its a DLL file and the file is wininv.dll any help as soon as would be great
thanx
kingvandal
Mar 30 2004, 04:09 PM
I am sur eit is ok to delete it. But if you are worried just make a backup copy of the dll file and then delete it and reboot and see results. Save the dll for a few days and if all seems to still be working ok then you can go ahead and delete the dll permently. Hope this helps.
Rich
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
