RE: strange windows behaviour.

["Harley David" <david.harley () nhsia nhs uk>]

Interesting paper, which I hadn't come across before.
Two points:
* AV vendors do actually analyse malicious code, they
  don't just extract a signature. If a vendor acquired
  a sample that showed the kind of behaviour you describe,
  they would hopefully feel obliged to take it into account
  in their detection and disinfection routines. And I think
  you'll find that even vendors that don't scan streams at
  present will have spent enough time on the issue to be able
  to when and if they need to.
* AV is not (primarily) signature based, and hasn't been for
  many years. Slim code content is not enough to evade 
  virus-specific detection.

-- 
David Harley
Threat Assessment Centre Manager
Anti-Virus/Email Abuse Specialist
NHS Information Authority


This e-mail is confidential and privileged. If you are not the intended recipient please accept our apologies; please 
do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents: to do so 
is strictly prohibited and may be unlawful. Please inform us that this message has gone astray before deleting it. 
Thank you for your co-operation.


---------------------------------------------------------------------------
----------------------------------------------------------------------------