 |
 |
 |
 |
 |
 |
|
| |
|
|
| |
| Abstract |
| |
|
Paper
Title
|
WOW64 Woes for Anti-Virus Products
|
|
Author(s)
|
Abhijit Kulkarni (India), Product Manager, Quick
Heal Technologies.
Prakash Jagdale (India), Sr. Software Architect, Quick Heal Technologies.
|
|
Time
|
11 December, Thursday, 11:35 - 12:15.
|
|
|
|
|
64
bit processors are catching up in the market. But the inertia to
develop 32 bit products for Windows still continues. The reason
being, it involves tremendous efforts to port the existing code
base. Instead it is easier to come up quickly with a product
using WOW64 support.
Anti-Virus On-Access scanner on Windows typically has a kernel
mode component (based on Microsoft’s file system filter driver
model) and a user mode component. Since 32 bit Windows drivers
are not binary compatible with 64 bit Windows, most of the
Anti-Virus developers have ported the kernel mode component to
64 bit. There are still some Anti-Virus products which have
their user mode component to be 32 bit. They continue to operate
under OS’s cushion of WOW64 while the On-Access component
operates as a 64 bit component. The communication between these
2 components is done by thunking the 32 bit calls to 64 bit.
Now, consider a case where the On-Access scanner’s kernel mode
component notifies the user mode component (app) to scan a
location inside the “system32” folder. Since the app is running
under WOW64, it will scan the “syswow64” folder instead of
“system32” and report that the file doesn’t exist, thereby
skipping the virus in the “system32” folder.
Secondly some Anti-Virus products have Memory Scanning module.
Since 32 bit processes cannot enumerate 64 bit processes, the
product running under WOW64 is definitely going to skip most of
the processes.
There are more such interesting cases, knowing which will
definitely help the Anti-Virus developers to avoid loopholes in
their product.
The paper will start by explaining the concepts like WOW64. It
will move on to discuss the issues associated with Anti-Virus
product executing under WOW64. The paper will finally propose a
working solution for the same. |
| |
|
| |
|
