Interception

27 February 2013 by

Monitoring for system-level routines that perform destructive acts can help, but such monitoring is fairly easily bypassed. Do not depend on it alone.

Interceptors (also known as resident monitors) are particularly useful for deflecting logic bombs and Trojans. The interceptor monitors operating system requests that write to disk or do other things that the program considers threatening (such as installing itself as a resident program). If it finds such a request, the interceptor generally pops up and asks you if you want to allow the request to continue. There is, however, no reliable way to intercept direct branches into low level code or to intercept direct input and output instructions done by the virus itself. Some viruses even manage to disable the monitoring program itself. Indeed, for one widely-distributed anti-virus program several years back it only took eight bytes of code to turn its monitoring functions off.

It is important to realize that monitoring and interception is a risky technique. Some products that use this technique are so annoying to use (due to their frequent messages popping up) that some users consider the cure worse than the disease!

Summary

  • Interceptors are useful for some simple logic bombs and Trojans.
  • It would be unwise to depend entirely upon behavior monitors as they are easily bypassed.
Up Arrow Virus Protection Up Arrow
Prior Page Next Page
Integrity Checking AV Product Use Guidelines
Filed Under: VTutor