I'am very interesting in NOD32. And I found NOD32.EXE scan files not using Win32 API (such as: CreateFile, ReadFile, WriteFile...), but using ZwDeviceIoControlFile. It seems that nod32.exe access file in kernel mode.

Most strange thing is that, I cannot found the module of it's scan engine.

I attached to the nod32.exe's process using windbg, list the call stacks of all threads, it looks very strange.

And why it's CPU using is so low while scanning?

Who can explain these doubt?
*puppy*

-{ Quote: "And I found NOD32.EXE scan files " }-

This is NOD's on-demand scanner.


-{ Quote: "And why it's CPU using is so low while scanning?" }-
because it is NOD32 . Fast , light , efficent ;)

I'am a programmer. I want to know the detail of every module and relation of them.
To learn the design blueprint of it is my purpose.
::)

If an ESET employee decides , they can share more information with you . I cannot .

I do not think that discussing software design related stuff is purpose of this support forum. Thread is hereby closed.