Watching an antivirus program at work with Process Monitor
Published by flickr September 8th, 2007 in security.
While traveling, I noticed that my Skype executable was nowhere to be found, and I didn’t want to pay $0.80 cents a minute roaming. So, I decided to investigate what could have removed the program by performing a reinstall. Sure enough, the program disappeared. I needed to take a snapshot of what was going on.
I like what the guys at Sysinternals did with Process Monitor. It makes it real easy to spy on stuff. Set up the filter conditions for whatever you’re looking for, and you get a real-time view of what system calls are happening.
Here I have Process Monitor catching the disappearance of my Skype.exe. I see that it detects the “suspicious” filename, reads it at various offsets (to do signature matching?) and eventually deletes the file.
So, the first part of the puzzle is solved, in my case. I know that mcshield (McAfee Viruscan) is deleting my stuff. Now I can’t kill the process, so I have to find another way to slow it down…
0 Responses to “Watching an antivirus program at work with Process Monitor”
Please Wait
Leave a Reply