Spyware/Virus Protection System

[FrostWraith]

Would it seem like a good idea to write a program that calculates an md5 or other hash algorithm of the core system files? I just happened to have a bad mishap and had to blow my HDD (not my important one  ) but the one that my computer boots to. Do the size/contents of files (Windows) periodically change? If this seemed like a go, how would I be able to go about finding the files people like to inject code into? My ultimate goal is to write a program that compares hash values and see which files are corrupt.

Any help appreciated.

[Skywing]

If you apply hotfixes or otherwise patch your operating system against security issues regularly, then yes, they change.

[FrostWraith]

I figured as much. Does anyone really know how anit-virus programs really work? Are there preset names they are set to scan for?

[Skywing]

As far as real-time scanning goes, the well-designed AV softwares out there (few and far between as far as the AV world goes, unfortunately) use something called a filesystem filter driver that sits in between programs and the underlying filesystem in kernel mode and allows the AV software to inspect all file-level I/O before it is allowed to happen (or return to a program).

Detection of viruses themselves is typically done by some sort of pattern matching based on file data - although this is a fairly large oversimplification.

[RealityRipple]

The MD5 Idea might be a good one. Just prompt when it changes to ask if the change was expected or not. Then Update the hash of the file (and maybe make file backups in a compressed file?) if it's expected, and revert to the old version if it isn't. I think Windows XP does something similar to this already, though.