I had an idea when recently removing a (fortunately inactive) virus from my PC.
All viruses have to be started in order to do their villainous work. They do this by:
- Getting the user to directly run them
- Getting the operating environment to run them
- Getting a program to run them (EG. Word macro viruses)
- Getting the operating system to run them
For option (2)(2), you know that they usually hide in the various “run at startup” locations hidden throughout Windows.
The hard part is that they usually start concurrently with the various antiviruses, so it’s a case of run the race.
I propose that, when a system is being shut down the antivirus takes a second or however long (probably not that long) to check the startup items. If a virus has been quietly inserted into them, to be activated on next start, it can be detected while unable to “fight back” and suppressed.
This has probably already been done, but I wanted to put it out there in the off chance it hasn’t been.