by Norman [Published on 16 Dec. 2002 / Last Updated on 19 July 2013]
Last year I presented how a simulated computer, which is integrated inside the scanner engine, can detect viruses based on actual performance. I demonstrated regular file replication for regular Win32 PE infectors. However, regular file replicating viruses do not pose the biggest threat – worms and viruses spreading through the Internet do. I will demonstrate how detection of these critters can be applied to the simulated computer, how these simulated computers can ‘network’ inside a single scanner engine, opening shares and communicate with a simulated SMTP server, how we deal with run-time libraries, e.g. Visual Basic DLLs, what is possible to simulate and what is not.