Read request intercepts take advantage of the fact that large parts of the Windows operating system are proprietary and inaccessible by non-Windows software. As such, an anti-virus program made by another company has to query the Windows OS by sending a read request to the Windows OS for the files it wants to examine. It goes a little like this:

AV program: ‘Hey Windows! I want to examine file name 22450d384281.dll to see if there’s a virus hiding in there. Can you please let me read it?’

Windows OS: “OK, I recognize you as one of the good guys. I’ll let you read the file and look. One sec. OK, you have access.”

AV Program: “Thanks Windows.”

Windows OS: “Sure. NP.”

What does a virus trying to hide itself do in this situation? It represents itself as the Windows OS to the virus. In other words, it intercepts the AV program’s request and either denies its request or it gives the anti-virus program a fake, clean version of the file. The interception can be made possible by injecting code into the actual OS files that handle the read request. That, in a nutshell, is how Read Requests allow viruses to remain undetected by antivirus software.

Finding and preventing this very hard and security software companies uses several techniques. They might examine what’s known as the virus signature by comparing a sample to a known sample of one or more viruses –e.g. what does its code profile look like? Or they may compare the file to a working database of Windows OS files known to be clean.

It’s a hit or miss process that extends the working life of a virus until the injected code or altered file is identified and then patched and then those patches have to work their way to the consumer.

This is a great example of how a system protected by a current, anti-virus anti-malware program can still be insecure.

To be truly secure, one needs to avoid the OS – which can be infected and undetected. BankVault’s patent-pending technology does this.

Next up: Self-Modification.