The challenge of detecting and removing installed threats

Jason Bruce SophosLabs

The days when the competitiveness of an AV product was determined by the ability to detect a bucket full of samples will soon be behind us. New tests, driven by the requirement for AV products to deal with spyware, will measure the ability of an AV product to manage any given threat from detection to full removal.

Detecting and removing installed and active threats presents many challenges particularly where multiple files, processes and registry components are involved. The ability for these components to be updated from the Internet at any time and with varying frequency only complicates the issue further.

This paper will discuss the challenges that are faced by AV vendors in modify their products to move away from blindly detecting and deleting a given set of samples to detecting and removing samples in the context of the installed threat for which those samples are merely a subset of components.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.