| Abstract | Security is of concern of any computing system. Intruders break into machines to steal private data, important credentials, or credit cards. Causing damage, denying services, spaming, and defrauding are among intruders' goals. Security engineers strive to secure systems against many kinds of attacks. Different security controls are deployed at variety of perimeters to fight attacks. Firewalls, intrusion detection systems, intrusion prevention systems, encryption techniques, spam filters, and anti-adware are among such security controls. As a last line of defense, the Antivirus (AV) is of an important concern to the end-users community. Mainly, the AV achieves security by scanning data against its database of virus signatures. In addition, the AV tries to reach a pleasant balance between security and performance because end-users are not willing to deploy a performance-killing AV. When to scan data is an important design factor an Antivirus has to make. In this study, we test two AV aspects. First, we want to know how aggressive the AV is against kernel-level activities compared with user-level activities. In order to do that, we implemented a kernel-level device driver that reads malware with the present of the AV. Second, because AVs are equipped with on-access scanners that are triggered based on file access, we want to know how the AV is achieving that and how that could affect the overall performance. |
On Studying the Antivirus Behavior on Kernel Activities