Sandbox II: Internet presented at Virus Bulletin 2002

by Kurt Natvig (Norman asa),

Tags: Security


Summary : "
Last year I presented how a simulated computer, which is integrated
inside the scanner engine, can detect viruses based on actual
performance. I demonstrated regular file replication for regular Win32
PE infectors. However, regular file replicating viruses do not pose
the biggest threat - worms and viruses spreading through the Internet
do. I will demonstrate how detection of these critters can be applied
to the simulated computer, how these simulated computers can `network'
inside a single scanner engine, opening shares and communicate with a
simulated SMTP server, how we deal with run-time libraries, e.g.
Visual Basic DLLs, what is possible to simulate and what is not.