We can all breathe a little easier now because Yahoo! is offering automatic virus scanning of sent files in Messenger (http://www.ymessengerblog.com/blog/2008/01/17/new-file-transfer-security-with-norton-antivirus/). The catch is that you need the latest version of Norton Antivirus to get this brand new and unique level of protection. So the question is this, have I been unsafe and at the risk of getting a virus with my current antivirus software? Is this a completely new concept that Norton and Yahoo! created for me? The answer is simple, although there are no out right lies in the article, it is very misleading and nothing more than a scare tactic to get you to buy Norton Antivirus.

It appears that Norton has dropped a load of advertising cash into Yahoo! coffers for the special privilege of being the recommending antivirus for Messenger. In the end it is only advertising and not any added functionality over any standard antivirus package. The only difference that I can see is that Yahoo! added a special API that Norton can use to scan a file before it actually hits the file system. As you will see it does not help catch viruses, it only moves the scanning phase to a different level in the file creation process.

All antivirus and firewall programs work by hooking a select few Windows API functions. In the case of antivirus programs they are most concerned with the functions used by Windows to create or move a file. What a hook does is basically add functionality to a function call by injecting extra code. Microsoft provides this “feature” out of the box even if it is not usually condoned or documented very well. When a file is transferred through Messenger it is usually kept in a memory buffer until the transfer is complete. At this time Messenger creates a file on the file system and writes the contents of the memory buffer to disk. To make this file a particular Windows API is called by the OS and if an antivirus is running the hook will also be executed. As you can see no matter how the file gets on to your system, a program will always have to use the create file API and subsequently scan the file for viruses.

This new miraculous new feature may actually be scanning the memory buffer before it is written to disk but I am only guessing. Even if it scans the memory, you are not getting any benefit from using this method and in some cases it may even be slower. So fear not my fellow Messenger user you are still safe even if you are not using Norton Antivirus.

Norton sucks bigtime. They used to be *the* defacto name in computer security...they even *used* to have a lightweight antivirus product.

Then something happened. Everything they make is bloatware, slows down windows, and just generally makes a complete mess. And their firewall product is a joke!

Get AVG for virus scanning instead. Use comodo for firewalling.

IMO the only reliable virus scanning is on-access, since most people who try to send you viruses will compact them with UPX and/or obfuscate them inside a wrapper that's used for legitimate purposes too. The "compressed" binary can slip through the signature based filters, and unless you have an on-access scanner that can scan the memory before it's code is executed, you're pretty well screwed on this one.

On another note, I wish Yahoo would quit dicking around with norton and fix the bugs in the Mac version of their Messenger...it's so feature-incomplete it's not funny.