1 Reply Latest reply on Jan 21, 2009 2:59 PM by jan.buelens

    Antivirus, XP64bit, and 32-bit code oh my


      We are testing  XP 64 for the possibility switching to a 64 bit OS.  We are using LDMS 8.8 SP2a with Antivirus that installs fine on our test system running in 32 bit mode.


      Some questions come to mind when running across http://support.microsoft.com/kb/282423 concerning 64bit limitations.



      No Kernel-Mode 32-Bit Code

      There is no support for Kernel-mode or 32-bit code such as:

      ·          32-bit virus-detection or 32-bit file system filters.


      I'm not familiar how LANDesk (Kaspersky) works for virus protection. My assumption if there was an issue AV would crash attempting to run in 32 bit Kernel mode, but I feel better ask the question anyway.


      Does this cause a lapse of LANDesk AV coverage? (Example XP64 running Landesk AV and a 32 bit IE application)


      Is there a 64bit client available that counts as a client license?



      Thanks for any help:






        • 1. Re: Antivirus, XP64bit, and 32-bit code oh my

          I'm writing these lines from a Vista X64 machine running LANDesk AV. I know from daily experience (well, not quite daily, I don't get exposed to live viruses that frequently) that real-time scanning actually works. Real-time scanning necessarily takes kernel mode code. And if, as you point out, 32 bit kernel mode code simply doesn't run on a 64 bit OS, then the conclusion must be that the real-time scanning is being done by 64 bit code.


          If there is a limitation somewhere due to 32 bit code running under wow64, the kind of test that should reveal it would be something like this: turn off real-time scanning, copy the eicar test virus to the system32 folder, do an on-demand scan of system32. If the product suffers from wow64 limitations, it will not find the virus because 32 bit apps can't see the real system32 folder, they get diverted to syswow64. You need to turn off real time scanning for the test since otherwise, it will prevent you from copying the test virus.


          That test is negative, i.e. the product does not suffer from this limitation. The exercise is not academic because several AV products have indeed suffered from this limitation.