Scanning
February 8, 2006 – 11:09 pmThe scanning site is moving on, got 12 scanners on there which was my first goal. They all seem to be ticking over and working. Every now and then I get a file that triggers a condition I’ve not met for handling a particular file type.
Been impressed by the coverage of the ClamAV open source virus scanner, coverage for a new virus pretty quickly added and the entire engine seems pretty solid. The surprise has been some of the more obscure scanners they seems to be really effective, I’ve also liked Norman Virus Control it seems really quite cool with their ‘Sandbox’ technology when it sees something it hasn’t before it actually gives you a nice report of what the virus attempts to do, like what files it changes or adds, what registry stuff it does..
New features include some handling of extra information which is provided as stats for the user. The tool I’ve written for identifying packed PE executables is doing quite nicely. I tinkered with a couple of mechanisms for detecting the signatures but have settled on a regexp based system which searches from the entry point in the executable for a signature. There are some real craft packers out there that do some seriously ‘illegal’ things in the header of the executable like sticking the entry point in the first ‘DOS’ part of the header.
Well check the scanner out, throw it a couple of files and see what happens.
