Leythos wrote:
> In article <4369728B.4080900@wapda.com>, ekron@wapda.com says...
>
>> This is what an anti-virus program will do if you choose to rename
>>the file to keep it for observation purposes
>
>
> Not true, that's what SOME Av products will do if you rename the file.

Then those that don't do it that way probably use the double extension
method. I know of a program that uses this method, but in both cases the
file is disabled so no program can open it.


> We have our AV software set to scan EVERY file on access, except the
> database and exchange store files (as defined by MS and the Av
> provider), but if you were to rename myvirus.exe to myvirus.txt, it
> would still be detected as a virus.

The AV program I use gives the renaming option of a malicious file
found by placing one letter in front of the exe to disable it, but does
not rename it as a file that can be executed such as txt in your
example. The purpose of renaming a malicious file is to disable it, so
no program can open it.

>
> Good settings for any AV product would be to scan all files accessed.
>
In a corporate environment, I would agree.