Chapter 2. Application Algorithm - KAPERSKY ANTI-VIRUS 5.5 - FOR LINUX-FREEBSD WORKSTATION AND FILE SERVER Administrator's Manual

CHAPTER 2. APPLICATION
ALGORITHM
Before reviewing the functional capabilities of Kaspersky Anti-Virus, a detailed
discussion of its internal architecture is required. This will help obtain a
comprehensive understanding of the algorithm used in the Anti-Virus operation.
Kaspersky Anti-Virus includes:
•
On-demand anti-virus scan component kavscanner;
•
Real-time anti-virus scan component kavmonitor;
•
Anti-virus database update module keepup2date,
•
License key management utility licensemanager;
•
Remote administration module used with Webmin application.
Provided below is a detailed discussion of the application operation algorithm
based on an example of real-time protection (that is, using the kavmonitor
component).
The operation procedure provides as follows:
1. When any application on your computer attempts to access an object of
the file system (request to open, run or close a file) such call will be
intercepted by the kavmonitor component kernel module and sent for
anti-virus scanning.
2. The intercepted file will then be processed using a daemon application
included into the kavmonitor component. The daemon scans the object
for viruses and processes it based on the settings specified in the
configuration file (including, but not limited to, disinfection using the anti-
virus database if this option is selected).
3. After the file has been processed, the kernel module will send to
kavmonitor the access code (allowed/prohibited) that defines the file
status.
4. Based on the object's status the kavmonitor component allows access
to the file or blocks it (in this case the application requesting access to
such file will receive an error code (Access denied)).
The file status assigned during the scan (and processing) can be one of the
following:
•
Clean – the object is not infected.