I use AVG and it recently detected a virus. It has before 😉 but this was the first time I noticed this.
When I went into the folder containing the virus, AVG immediately, automatically, detected the virus without me even clicking on the application. So I though how could it know a virus was there even when I did not even click (single click) on it.
The only possible answer is that it continuously checks the explorer folder location of all windows and scans all the files in the folder. But how does it see what folder is being viewed by me?
Please explain (if possible) with a C program that does what ever AVG did.
Also : I use Windows if that helps.
When you open a folder a bunch of file system operations is executed (you can use tools like
FileMonorProcMonto take a look at this). Your AV software monitors file access.There are multiple ways to do this monitoring, e.g. Filter Drivers – you can find a great sample at http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial
So when you opened the folder, AV software noticed that you opened a directory, consulted its own data, and informed you about the virus.
I say ‘consulted its own data’, as AV tools usually don’t scan files on access – they do it when the files are written to, as it doesn’t make sense to scan files which were marked as clean if they haven’t changed since the last scan.