hey,
i'm writing a malware detection software, to run on windows, i already have experience in pattern matching which is what i'm going to use, but i need to know how i can maybe get the files to scan, i mean i'm thinking either when a file is executed or when it's downloaded, i though of maybe writing a plugin on the browser and email clients to scan the accessed page, but that will limit my possibilities to client sides, maybe if i can get the server to scan the files, it would be better, how should i be looking into that?
Should the client give the file to the server for pattern matching and wait a reply, or should the server simply be providing patterns to be matched with, and in any case, how can i know what file to scan?
Thanks.

Hey, thx for the answer,
so what are my possibilities at the server side, how can i find the downloaded files? i did something a while ago, where i would start a listener based on the client's request and analyze tcp packets to detect syn flood, but this is not the case in here, i want to scan a complete file, once it's downloaded.. or while it's being downloaded, and it's the data i'm after not the header in this case

Think of how your AV product works.
On the client you have an engine which uses a signature file to scan all files for specific details, activies etc.
On the server end you have a file where your client can "phone home" and be told current or download this new one.

Why not just implement the same concept.

The normal av everyone uses works as i proposed in my first post, it installs itself in the shell or sth (not sure how/that's the main question) and scans every file before it's opened.. my main question is how can i do that in C# any libraries i have to add or any clue at all, and if on the server side, i can know that the client is downloading a malware and stop it before it reaches the destination..

Well it would seem daft you're reinventing the wheel when there are free anti malware pre-existing apps done by professional companies who spent a lot of time and money making them.

However, you would need to decide exactly what you're monitoring for and then do it.

Wether thats connecting to websites, creating/opening/reading/writing files

But your question seemed to be not how to detect the malware but how to tell your anti-malware client how to update and know what to look for - for which how your AV product works is the best example of exactly that senario which I outlined.

hey, sorry i might have neglected some points, i hate reinventing the wheel actually, it's just a university project :P
and yes for the question, i actually just wanted to be able to read the files, just read them before they are open, or as they are being downloaded, the download part is probably as easy as setting up a listener for tcp, and reading the data inside a packet, but i think there should be an easier solution, what i can't figure out is how to make my program, running in the background start and scan a file before it's opened by the os..

This article has been dead for over six months. Start a new discussion instead.