Department of Computer Science, University of Virginia
If you are looking for Prof. Evans's seminar site, it is still available at seminar.html.
Modern disk drive processors are now capable of general purpose computation, and we can utilize this new power to implement malware detection directly on the disk drive. All data flowing to and from the hard drive must pass through the disk drive processor. This key property makes the disk processor the final line of defense against malware, since it is privy to the low-level behavior of viruses that wish to alter data on the host. Disk-level malware detection uses the disk processor to identify threats based on patterns of I/O requests. Read more about the advantages of disk-level malware detection.
String scanning is the traditional - and primary - method of virus detection. However, polymorphic and metamorphic viruses elude these detectors, and it is easy to hand-craft variants that evade detection. (Polymorphism and metamorphism automatically alter code structure between generations without changing the virus's behavior.) Emulation was designed in response to these complex viruses, but emulation is limited by its high computational cost and imprecision. Virus authors have also subsequently created anti-emulation techniques.
This work is supported by the National Science Foundation Cyber Trust Program ("Disk-Level Malware Detection and Response," NSF 0627527).