Which protection ring do antiviruses run in?

Discussion in 'other anti-virus software' started by Amin, Mar 5, 2014.

Thread Status:
Not open for further replies.
  1. Amin

    Amin Registered Member

    Joined:
    May 16, 2012
    Posts:
    437
    Location:
    UK
    hi. guys these questions really occupied my mind (been a long time)..

    I wonder if there is any antivirus which can gain low-level access to kernel-level resources.. (ring 0)

    btw I want to know how antiviruses really work, more precisely, how do they hook into that low-level file access process? is that becuz they are written in low-level programming languages or what ?

    how can they take control of the malwares which are also running in low-levels? o_O



    thnx in advance..
    Amin :)
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    "Overview of real-time antivirus scanning engines" - pdf at hxxp://www.jestr.org/downloads/volume5issue1/fulltext12050112.pdf
     
  3. wasgij6

    wasgij6 Registered Member

    Joined:
    Mar 29, 2011
    Posts:
    263
    CIS runs at ring 0. once a malware installs a kernal driver there isnt much an AV can do to remove it. The malware will be able to kill the AVs processes. thats why prevention is best with this type of malware.
     
  4. Amin

    Amin Registered Member

    Joined:
    May 16, 2012
    Posts:
    437
    Location:
    UK
    Thank you guys. but what I'm most hazy about is that how an AV manages to run at ring 0 ? I have no idea whether it's because of the AVs' programming structure (low-level language) or it's because OS lets AVs to take over.... it's like both AV and Malware mess with the deepest system resources to get what they are meant to.. as someone said before they both do nasty things to achieve their goals :D I'm still puzzled anyway
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
Loading...
Thread Status:
Not open for further replies.