Comment How does Sophos do this? (Score 4, Interesting) 133
He tried to open a quarantined file, once with the 'cat' command
and once with vi, as root, and both times Sophos warned him and
prevented him from proceeding. Now, the code for the 'cat'
command is quite simple, it basically just does a open(2)
of the file and then issues a series of read(2). My question
is: Does Sophos actually intercept the system calls in order
to make sure no application opens an infected file? If so,
wouldn't that introduce a HUGE performance penalty on the
everything happening on the machine, since these system calls
are so crucial?