Paper Title

WOW64 Woes for Anti-Virus Products


Abhijit Kulkarni (India), Product Manager, Quick Heal Technologies.
Prakash Jagdale (India), Sr. Software Architect, Quick Heal Technologies.


11 December, Thursday, 11:35 - 12:15.



64 bit processors are catching up in the market. But the inertia to develop 32 bit products for Windows still continues. The reason being, it involves tremendous efforts to port the existing code base. Instead it is easier to come up quickly with a product using WOW64 support.

Anti-Virus On-Access scanner on Windows typically has a kernel mode component (based on Microsoft’s file system filter driver model) and a user mode component. Since 32 bit Windows drivers are not binary compatible with 64 bit Windows, most of the Anti-Virus developers have ported the kernel mode component to 64 bit. There are still some Anti-Virus products which have their user mode component to be 32 bit. They continue to operate under OS’s cushion of WOW64 while the On-Access component operates as a 64 bit component. The communication between these 2 components is done by thunking the 32 bit calls to 64 bit.

Now, consider a case where the On-Access scanner’s kernel mode component notifies the user mode component (app) to scan a location inside the “system32” folder. Since the app is running under WOW64, it will scan the “syswow64” folder instead of “system32” and report that the file doesn’t exist, thereby skipping the virus in the “system32” folder.

Secondly some Anti-Virus products have Memory Scanning module. Since 32 bit processes cannot enumerate 64 bit processes, the product running under WOW64 is definitely going to skip most of the processes.

There are more such interesting cases, knowing which will definitely help the Anti-Virus developers to avoid loopholes in their product.

The paper will start by explaining the concepts like WOW64. It will move on to discuss the issues associated with Anti-Virus product executing under WOW64. The paper will finally propose a working solution for the same.