[spot]

That's a neat post and it'll be useful. You closed it to questions though, so excuse this follow-up thread.

I've always presumed that a resident virus checker will block any malware codec that a user accepts because I've always assumed the internet-downloaded codec has to go to disk before it's run. Do you think that's so, or do you think it's straight-to-memory and avoids the real-time scan?

Why are these things called codecs anyway? The coding portions never exist with the decoder portions, the packs are all decoders, the coders are built into entirely different programs.

[Cew27]

most of the above codecs are int he downloads section if not all of them

[evilfantasy]

A bad codec can attack just the browser itself as a dll or an activex control. Yes it will have to be installed but as I like to say, the biggest piece of malware ever created is the mouse. Antivirus is useless in many cases of careless clicking. It is a roll of the dice on if it will catch the malicious file before or after it is installed. Some malware has the ability to temporarily turn off security long enough to install itself. Then it won't be found until it is too late, if found at all. Once you click accept or yes (whatever the case may be) the AV is powerless.

Also if it is some new malicious file it may not be in the AV database yet so it won't be found by your AV anyway.

[spot]

There's a very strict order to these things. AV packages scan what's saved to disk or loaded from disk, that's their focus. I agree that if the AV database doesn't identify the malware then the malware passes without being stopped. I'm not aware of any codec that downloads straight into memory and executes without a prior disk save. The writers of the players are aware of the danger of allowing that.

There are two types of malware. There's the sort that burrows in through buffer overflows and executes without getting saved first, or which rely on script language security holes. They can and do try to turn off the security before embedding themselves permanently. That mechanism simply isn't available to malware which is downloaded or arrives as an email attachment, all of which have to be saved first before they can be executed.

Anyway - the "click yes to run" variety simply has to come off the disk, there's no mechanism in the operating system to accept before it's stored. All of those have been AV-scanned, assuming there's a resident AV scanner.

[evilfantasy]

Are you saying that there is no malware embedded in codecs?

EDIT: Fake codecs.

[spot]

Of course not, they're famed for having them.

I'm saying that a fake codec can't run and deliver its payload before it's been saved to disk.

If there's a resident AV scanner then it would have to be unrecognized for it to be effective. I don't think there's a significant proportion which would go unrecognized. Consequently I think having a resident AV scanner is a reasonable protection against the fake codec route of infection.

[evilfantasy]

I see your point and it is valid, only I have seen first hand (in the malware forum) the damage the fake codecs can cause. It is a very common way of infecting a computer. An AV is a layer of protection but far from a catch all, even for known threats. Depending what is written into the file you can be infected with the whole spectrum of virus/trojan/worm etc.

See this post for a better explanation.