Re: [Full-disclosure] Inside AV engines?

Check The Art of Computer Virus Research and Defense (Paperback)
by Peter Szor. It is one of the foremost books in Virus detection, etc, and I found it to be a valuable read...

Examples are in C code, and there's a lot of memory dumping, etc. Check slashdot's review if you want.

Jeroen wrote: 
For penetration testing on Wintel system, I often use netcat.exe and stuff
like pwdump. More and more I need to disable anti-virus services before
running the tools to avoid alarms and auto-deletion of the applications. It
works but it isn't an ideal situation since theoretically a network can be
infected while the AV-services are down. Recompiling tools is an option
since the source of many tools I use is available. The question is (before I
burn useless CPU cycles): can someone help me getting info about the inside
of AV engines? Will addition of some rubbish to the code do the trick (->
other checksum), do I need to change some core code or is it a mission
impossible anyway? Who can help for example getting some useful research
papers on the subject of detecting viruses and how to bypass mechanisms
used? Any help will be appreciated.


Greets,

Jeroen


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/