Other detection methods include, for example, on-the-fly virus detection. That way, the antivirus
monitors the executables that are loaded into memory, and scans them for malicious patterns as
they run, without even using a sandbox.
Furthermore, most main system calls (DLL function calls on Windows) can be hooked with additional
functions that can be used to monitor the system call traces and the real-time behavior of
existing executables. That way, dangerous or anomalous activity, such as the operations with the
files, automatic email and network connectivity operations, and other worm-like behavior can be
detected in real time in the actual running executables.
This method actually may overlap with behavioral blocking-based intrusion detection. Obviously,
the overhead of on-the-fly processing is a big issue, so in this case, the comprehensiveness of
the antivirus has to be weighed against the available resources of the system.
|
