How Deep?
Today's PC environments are full of compressed and archived files—rare are the PCs that don't run PKWARE's PKZIP utility. Malicious users have dozens of such compression tools (aka packers) at their disposal. An antivirus scanner might be able to find a virus in a .zip file, but can it find the same virus after five different compression tools compress it? The virus scanner must recognize that the file is compressed, then uncompress it, determine whether it's still compressed, and decompress again if necessary or, if not, begin scanning. And if a file contains an active link to another file (e.g., an HTML file coded to download a malicious executable), the virus scanner should also scan the linked file. A feature called recursive scanning can help solve these problems.
Some scanners address scanned files by including uncompression code or insisting on knowing the location of the unpacking utility. Other vendors' products ignore compressed files and scan only as files are uncompressed. Although I like scanners that scan zipped files and some vendors brag about their products' ability to scan within 20 or more file-compression types, I don't think any one scanning engine can work with every possible packer. I've also seen many scanners that claim to feature recursive scanning but fail miserably at it. Therefore, scanning the final file as it's uncompressed makes the most sense to me. Of course, that method requires that the scanner be called as the file is uncompressed, which means the scanner must be running in realtime protection mode.
Protected Files
To complicate matters, file-protection mechanisms that are designed to prevent unauthorized access can challenge antivirus scanners. Encrypted and password-protected files present special challenges, because scanners that can't open a file typically skip it.
Most scanners bypass password-protected files, but do you want yours to scan them? In the early days of Microsoft Office, a password-protected document wasn't encrypted. The password merely prevented the file from opening in Office, and a virus scanner could easily detect and delete a virus contained within such a file. Today, password-protected Office documents are locked up tight and are easily overlooked.
How should antivirus software treat a file that a digital certificate is protecting? If the document or program was signed while the virus was present, removing the virus will render the related digital certificate invalid. Nevertheless, scanners should remove all malware. If the malware corrupts the digital certificate, so be it—a malware-containing file shouldn't have been signed in the first place.
Files that Microsoft Encrypting File System (EFS) protects present a similar problem. Unless the scanner runs under a user account with a valid EFS key, the scanner won't be able to scan the file. If your company uses EFS, look specifically for products—such as Panda Software's Panda Antivirus Platinum for Win2K or Trend Micro's OfficeScan—that support EFS.
By default, most antivirus scanners' emergency boot disks will let you clean an infected NT boot sector. The boot sector and all the current boot sector viruses rely on standard FAT partitions. Antivirus products won't let you boot from a 3.5" disk to initiate an NTFS volume scan unless the vendor makes a special support boot disk. Although the need to scan an entire NTFS volume from a boot disk has diminished, the capability can still come in handy. If your product doesn't support boot-scanning NTFS volumes, you can use Sysinternals' NTFSDOS utility to create a custom boot disk that lets you boot to an NTFS volume and run a virus scanner from a 3.5" disk. If you use this approach, the virus scanner won't be able to scan compressed or EFS-encrypted files.
Prev. page
1
2
3
[4]
5
next page 
