Anti virus API?
-
When you open a .doc file in MS Word, a little message that says 'Requesting Virus Scan' appears in the status bar. My guess is that there's some sort of interface, defined by Win32, that a system's registered virus checker adheres to. I've never read of such a thing, but you might want to look at winword.exe in Depends and see what it's importing. I'd look at the MS Knowledge Base too and see if you can find anything relating to that message. Good luck! :-D -Mike Stevenson Owner, Liquid Mirror Software and eBooks, Shareware Junction Downloads and Crush Alarm http://www.liquidmirror.com/ - http://www.sharewarejunction.com/ - http://www.CrushAlarm.com/ Sign up for the Shareware Junction Banner eXchange! http://www.sharewarejunction.com/swjbx/
A quick search of the KB shows that there's a Office Addin produced by Symantec/Norton called Officeav.dll. It appears to be a COM object, so you could probably play around with its interfaces and get it to work if you're persistent enough. I'm not sure if it does a real virus scan or only scans Word docs internally, but you should be able to find out with a bit of testing. I assume that you'll have to have MS Office and Norton Anti-Virus on the machine in question in order to get it to work. -Mike Stevenson Owner, Liquid Mirror Software and eBooks, Shareware Junction Downloads and Crush Alarm http://www.liquidmirror.com/ - http://www.sharewarejunction.com/ - http://www.CrushAlarm.com/ Sign up for the Shareware Junction Banner eXchange! http://www.sharewarejunction.com/swjbx/
-
A quick search of the KB shows that there's a Office Addin produced by Symantec/Norton called Officeav.dll. It appears to be a COM object, so you could probably play around with its interfaces and get it to work if you're persistent enough. I'm not sure if it does a real virus scan or only scans Word docs internally, but you should be able to find out with a bit of testing. I assume that you'll have to have MS Office and Norton Anti-Virus on the machine in question in order to get it to work. -Mike Stevenson Owner, Liquid Mirror Software and eBooks, Shareware Junction Downloads and Crush Alarm http://www.liquidmirror.com/ - http://www.sharewarejunction.com/ - http://www.CrushAlarm.com/ Sign up for the Shareware Junction Banner eXchange! http://www.sharewarejunction.com/swjbx/
Ouch! Sounds really dangerous to COMify an anti-virus toolkit. It wouldn't be too hard to write a COM-dll/classfactory which proxies calls between Office and the actual anti-virus COM-dll. All you need to do is lookup the DLL of the Norton-antivirus based on the CLSID, then regsvr32 your own DLL using the same CLSID, and do dynamic loading of the real DLL and start proxying. Anything that is loaded dynamically and not digitally signed is unsafe for doing av-tasks. Microsoft may have solved it by requiring the DLL to be signed by an authentic Norton key. Does windows support signed DLL's? I know it supports signed drivers, but I'm unsure of drivers. If they do however, the Microsoft Office application must have Nortons public key somewhere (preferably encrypted using a private Microsoft key) in order in order to verify the authenticity of the av-DLL. So this leaves us hobby-hackers out of the game; I imagine Microsoft would require big bucks for this. And how are the keys distributed? It would suck if it was only distributed in the service packs.. If there is indeed some sort of AV-plugin interface in Office, chances are that they've built a fortress on sand.. FreeBSD is sexy. Getting closer and closer to actually submit an article...
-
Ouch! Sounds really dangerous to COMify an anti-virus toolkit. It wouldn't be too hard to write a COM-dll/classfactory which proxies calls between Office and the actual anti-virus COM-dll. All you need to do is lookup the DLL of the Norton-antivirus based on the CLSID, then regsvr32 your own DLL using the same CLSID, and do dynamic loading of the real DLL and start proxying. Anything that is loaded dynamically and not digitally signed is unsafe for doing av-tasks. Microsoft may have solved it by requiring the DLL to be signed by an authentic Norton key. Does windows support signed DLL's? I know it supports signed drivers, but I'm unsure of drivers. If they do however, the Microsoft Office application must have Nortons public key somewhere (preferably encrypted using a private Microsoft key) in order in order to verify the authenticity of the av-DLL. So this leaves us hobby-hackers out of the game; I imagine Microsoft would require big bucks for this. And how are the keys distributed? It would suck if it was only distributed in the service packs.. If there is indeed some sort of AV-plugin interface in Office, chances are that they've built a fortress on sand.. FreeBSD is sexy. Getting closer and closer to actually submit an article...
It can be a problem. Luckily, most of the virus people are no-brains script kiddies. Only recently have these viri started attacking the AV software. Tim Smith "Programmers are always surrounded by complexity; we can not avoid it... If our basic tool, the language in which we design and code our programs, is also complicated, the language itself becomes part of the problem rather that part of the solution." Hoare - 1980 ACM Turing Award Lecture
-
Here's the scenario: Customers upload files via a support site. The support engineer needs to download the file, scan it for viruses and if it's infected, notify the customer. To avoid this hassle, we'd like to make virus checking a part of the upload process so we can immediately notify the customer and save time for ourselves. Is there any anti-virus company out there that has a simple "Scan this file and tell me if it's infected" function you can call? We can think of a few work arounds (like emailing the file to a mail server which has virus checking software on it), but we'd really like to make it part of the process. Any suggestions would be greatly appreciated... thanks!
Mike Sax http://www.Sax.net Rock Solid Components™
AVG offers an API, But I have written twice and never got a response.:(( Regardz Colin J Davies
Sonork ID 100.9197:Colin
You are the intrepid one, always willing to leap into the fray! A serious character flaw, I might add, but entertaining. Said by Roger Wright about me.
-
AVG offers an API, But I have written twice and never got a response.:(( Regardz Colin J Davies
Sonork ID 100.9197:Colin
You are the intrepid one, always willing to leap into the fray! A serious character flaw, I might add, but entertaining. Said by Roger Wright about me.
Colin^Davies wrote: Colin^Davies C to the izzo, D to the avies ;P Jon Sagara "Shut up brain, or I'll stab you with a Q-Tip!"
-
Google returns the following link: http://msdn.microsoft.com/workshop/security/antivirus/antivirus.asp[^] Jon Sagara "Shut up brain, or I'll stab you with a Q-Tip!"
Hmm.. Useless Implementation/API I'm afraid. X| I've only studied a couple of computer security courses and I did my masters in this area, so I'm not by any means a computer security "professional". But I have two points to back up my statement: 1) It does not support system-wide policies. I.e., a sysadmin/secadmin cannot configure it to fully reject any suspicious files. (Sysadmins/secadmins may be fascist a**holes, but they are so for a reason - most of the time anyway :)) 2) The AV-software is implemented as a COM-object? That design choice should be awarded a Darwin[^] award. Dynamically loaded DLL's can be bypassed by the most clueless virus programmer. Consider this: You get a virus which has not yet been identified by AV-vendor X. It's executed undetected. Inevitable you say? Ok, very well. But the virus won't stop there. Of course it'll scan that cute CAT-id the API speaks of, and put COM-proxies around each and everyone of those AV-COM DLLs. Now the virus quite a grip on your AV-software. If the AV-software would have been put in some digitally signed form (registry and DLL needs to be tamper-proof/tamper-verifiable), this trick would have been a lot harder! Yet another blunt attempt by Microsoft to do "security". Microsoft has like a billion of researchers, some of them are the best in computer security researchers. Then why the hell do they push crap like this? :confused: (I guess the Office team doesn't have any connections with the research department..) FreeBSD is sexy. Getting closer and closer to actually submit an article...
-
It can be a problem. Luckily, most of the virus people are no-brains script kiddies. Only recently have these viri started attacking the AV software. Tim Smith "Programmers are always surrounded by complexity; we can not avoid it... If our basic tool, the language in which we design and code our programs, is also complicated, the language itself becomes part of the problem rather that part of the solution." Hoare - 1980 ACM Turing Award Lecture
Yes.. but this is an open invitation to all 12 year old script kiddies! FreeBSD is sexy. Getting closer and closer to actually submit an article...
-
Hmm.. Useless Implementation/API I'm afraid. X| I've only studied a couple of computer security courses and I did my masters in this area, so I'm not by any means a computer security "professional". But I have two points to back up my statement: 1) It does not support system-wide policies. I.e., a sysadmin/secadmin cannot configure it to fully reject any suspicious files. (Sysadmins/secadmins may be fascist a**holes, but they are so for a reason - most of the time anyway :)) 2) The AV-software is implemented as a COM-object? That design choice should be awarded a Darwin[^] award. Dynamically loaded DLL's can be bypassed by the most clueless virus programmer. Consider this: You get a virus which has not yet been identified by AV-vendor X. It's executed undetected. Inevitable you say? Ok, very well. But the virus won't stop there. Of course it'll scan that cute CAT-id the API speaks of, and put COM-proxies around each and everyone of those AV-COM DLLs. Now the virus quite a grip on your AV-software. If the AV-software would have been put in some digitally signed form (registry and DLL needs to be tamper-proof/tamper-verifiable), this trick would have been a lot harder! Yet another blunt attempt by Microsoft to do "security". Microsoft has like a billion of researchers, some of them are the best in computer security researchers. Then why the hell do they push crap like this? :confused: (I guess the Office team doesn't have any connections with the research department..) FreeBSD is sexy. Getting closer and closer to actually submit an article...
Hell.. you don't even need to do any proxying whatsoever in this case. You just need to return S_OK from the Scan-method. It's not even hard! FreeBSD is sexy. Getting closer and closer to actually submit an article...
-
AVG offers an API, But I have written twice and never got a response.:(( Regardz Colin J Davies
Sonork ID 100.9197:Colin
You are the intrepid one, always willing to leap into the fray! A serious character flaw, I might add, but entertaining. Said by Roger Wright about me.
Do you know how it's implemented? FreeBSD is sexy. Getting closer and closer to actually submit an article...
-
Google returns the following link: http://msdn.microsoft.com/workshop/security/antivirus/antivirus.asp[^] Jon Sagara "Shut up brain, or I'll stab you with a Q-Tip!"
Thanks for the pointer - unfortunately, the API description says that the virus checker is responsable for showing UI to the user in case of an infected file, so it cannot be used on a server. It's amazing to me that none of the major anti-virus vendors seem to have an API! :confused:
Mike Sax http://www.Sax.net Rock Solid Components™
-
A quick search of the KB shows that there's a Office Addin produced by Symantec/Norton called Officeav.dll. It appears to be a COM object, so you could probably play around with its interfaces and get it to work if you're persistent enough. I'm not sure if it does a real virus scan or only scans Word docs internally, but you should be able to find out with a bit of testing. I assume that you'll have to have MS Office and Norton Anti-Virus on the machine in question in order to get it to work. -Mike Stevenson Owner, Liquid Mirror Software and eBooks, Shareware Junction Downloads and Crush Alarm http://www.liquidmirror.com/ - http://www.sharewarejunction.com/ - http://www.CrushAlarm.com/ Sign up for the Shareware Junction Banner eXchange! http://www.sharewarejunction.com/swjbx/
Mike Stevenson wrote: I'm not sure if it does a real virus scan or only scans Word docs internally, It does a real scan. Take it from a former NAV developer. ;) I assume that you'll have to have MS Office and Norton Anti-Virus on the machine in question in order to get it to work. That is correct. --Mike-- Just released - RightClick-Encrypt v1.3 - Adds fast & easy file encryption to Explorer My really out-of-date homepage Sonork-100.19012 Acid_Helm
-
Do you know how it's implemented? FreeBSD is sexy. Getting closer and closer to actually submit an article...
Jörgen Sigvardsson wrote: Do you know how it's implemented? All I know is that I emailed grisoft@grisoft.com and got no response :-( I have no idea what it is, sorry Regardz Colin J Davies
Sonork ID 100.9197:Colin
You are the intrepid one, always willing to leap into the fray! A serious character flaw, I might add, but entertaining. Said by Roger Wright about me.
-
Here's the scenario: Customers upload files via a support site. The support engineer needs to download the file, scan it for viruses and if it's infected, notify the customer. To avoid this hassle, we'd like to make virus checking a part of the upload process so we can immediately notify the customer and save time for ourselves. Is there any anti-virus company out there that has a simple "Scan this file and tell me if it's infected" function you can call? We can think of a few work arounds (like emailing the file to a mail server which has virus checking software on it), but we'd really like to make it part of the process. Any suggestions would be greatly appreciated... thanks!
Mike Sax http://www.Sax.net Rock Solid Components™
Norman Antivirus: http://www.norman.no/[^] James Drinking In The Sun Forgot Password?
-
Here's the scenario: Customers upload files via a support site. The support engineer needs to download the file, scan it for viruses and if it's infected, notify the customer. To avoid this hassle, we'd like to make virus checking a part of the upload process so we can immediately notify the customer and save time for ourselves. Is there any anti-virus company out there that has a simple "Scan this file and tell me if it's infected" function you can call? We can think of a few work arounds (like emailing the file to a mail server which has virus checking software on it), but we'd really like to make it part of the process. Any suggestions would be greatly appreciated... thanks!
Mike Sax http://www.Sax.net Rock Solid Components™
Sophos has the SAVI API: http://www.sophos.com/sophos/docs/eng/manuals/savitoolkit.pdf[^]
-
Here's the scenario: Customers upload files via a support site. The support engineer needs to download the file, scan it for viruses and if it's infected, notify the customer. To avoid this hassle, we'd like to make virus checking a part of the upload process so we can immediately notify the customer and save time for ourselves. Is there any anti-virus company out there that has a simple "Scan this file and tell me if it's infected" function you can call? We can think of a few work arounds (like emailing the file to a mail server which has virus checking software on it), but we'd really like to make it part of the process. Any suggestions would be greatly appreciated... thanks!
Mike Sax http://www.Sax.net Rock Solid Components™
I wonder if Symantec and McAfee are in the process of providing a web service for this purpose. I'd certainly drop them an email to see if they provide this, or some similar, service. By the way, is this the same Sax that's been around for years? I used a Sax serial communications C++ library in the mid 90s that saved me a ton of time, so if that was you, nice work, man! Chistopher Duncan Author - The Career Programmer: Guerilla Tactics for an Imperfect World (Apress)