I'am very interesting in NOD32. And I found NOD32.EXE scan files not using Win32 API (such as: CreateFile, ReadFile, WriteFile...), but using ZwDeviceIoControlFile. It seems that nod32.exe access file in kernel mode. Most strange thing is that, I cannot found the module of it's scan engine. I attached to the nod32.exe's process using windbg, list the call stacks of all threads, it looks very strange. And why it's CPU using is so low while scanning? Who can explain these doubt?