If a file is 'brought to the attention' of the scanner before you have opened
it, it can detect (some) trojans, viruses, and/or worms before *you* open
them. It could be as a scheduled scan, or prompted by some download's
file creation. My scanner even detects some trojans on my system when
I merely have browsed to the directory that they reside in. I assume that
this is due to the fact that they are executable files and the browsing (done
by Windows Explorer) accesses the file for icon information while my on
access scanner is activated.
They do.
....but it is not *you* that is doing the opening - it is *it* doing
so ... and before you have even had the opportunity in most
cases. For instance, if you have some sort of e-mail scanning
activated (my AV doesn't even have that option), the scanner's
attention is being focussed on the downloaded file (or content)
before it is presented to you as something you can open.
A friend has Norton 2004 AntiVirus Professional and on the box it came
in, it says:
New! Scans compressed file archives before you open them and risk
infecting your computer (Not available on Windows Me/98)
Marketing types don't always have a clue as to what they are
spewing - and the clueful don't always bother to try to correct
them. I think that maybe they are alluding to 'packed' files which
are encapsulated with runtime unpackers, and not strictly to the
normal compressed archive files. Nothing more than a guess on
my part though.
....does it also advertise itself as a "solution"?
Learning the art of understatement is not something they are likely
to do. Why say " A welcome addition to your overall defense
strategy" when you can say "Your complete anti-virus solution"?
....and why say "Still scans within some compressed archives", or
"NEW Improved ability to scan within....", when they can make
it sound like some new technology which only they possess, and
is only available in their newe$t relea$e?
What about prior versions - it appears they cant' scan compressed files
if the feature is new in 2004 AntiVirus Professional.
I wouldn't know about this because I use an older version and don't
really feel the need to scan within archives. However, these runtime
unpackers can be a cause for worry. Perhaps the new OSes allow
for these to be intercepted whereas the Win9x/ME OSes do not.
Aren't worms and trojans compressed files?
I'm sure that some are.
It also says:
Automatically removes, viruses worms and trojans horses.
I'm wondering -Is that before or after they are opened?
Probably either, dependent on circumstances. It is possible
that an AV can interrupt a download when it senses that
its content is malicious.
I have the Trojanhunter program in addition to my AV program, but it
detects trojans only *after* they are opened.
I am completely unfamiliar with that program, is it possible to
direct that program to scan a file that you believe is suspicious?
If you have it do so, and it detects the trojan, then it can also
detect before *you* try to open it - but only because it does
the opening. If it runs "on access" like a virus scanner does,
then what you refer to as "opening" is really only bringing the
file to the attention of the scanner. There is a major difference
between "opening" and "executing" that many people don't
understand. Opening a file can be for reading from the file,
writing to the file, or executing the file.
When you choose to execute a program (double-click in
Windows parlance) you indicate a desire to open it for
execution. The "on access" AV acts sort of like a traffic
cop for all such requests of the OS, and instead opens
it for reading*. It scans the file for indications that it is a
known (to it) malware. Some may even attempt to "run"
the program in an emulated environment in order to help
it to determine its legitimacy. If nothing seems amiss, the
AV then passes control back to the normal OS process
of opening for execution. If something does seem amiss,
an alert box usually appears and asks you for input.
*I think that an executable image that is not yet scheduled is
pretty much equivalent to a readable file for the purpose of
this amateurish explanation. I'm not really sure exactly what
the "on access" AV is scanning.
