5

I think that 32-bit programs cannot look inside 64-bit processes. So I am asking this question out of curiosity.

I am using Windows 7 x64. I do not know about the bitness of the antivirus except that it is installed in C:\Program Files (x86).

Salman A
  • 1,652
  • 2
  • 19
  • 32
  • 1
    All real-time AV scanners employ kernel drivers to hook into filesystem activity. On 64-bit systems this of course needs a 64-bit kernel driver. – Daniel B Dec 12 '14 at 08:56
  • @DanielB does it mean that 32-bit antivirus won't work on Windows x64? – Salman A Dec 12 '14 at 16:28
  • That depends entirely on what you think a “32-bit AV scanner” is. If you’re referring to one that doesn’t ship 64-bit components at all, then yes, real-time monitoring is impossible. – Daniel B Dec 12 '14 at 22:43

1 Answers1

2

It all depends on how the antivirus software works.

32-bit programs might not be able to interoperate directly with running 64-bit processes (other than through the Windows API), but they do still have access to the entire file system including files containing 64-bit code. So technically yes a purely 32-bit antivirus could still do it's job and identify viruses in 64-bit files via traditional file-scanning techniques.

However...

The fact that an application is installed into C:\Program Files (x86) doesn't actually mean it's 32-bit.

  • You can have 64-bit applications running from C:\Program Files (x86)

  • You can have 32-bit applications running from C:\Program Files.

  • Many applications actually contain a mix of 32-bit and 64-bit files but install to only either C:\Program Files (x86) or C:\Program Files. A good example is VMware Workstation. On my 64-bit system, it installs to C:\Program Files (x86)\VMware\VMware Workstation. The files installed to that location are a mix of 32-bit and 64-bit EXE/DLL files, among other random files.

So what's the name and version of the antivirus software you're running? Chances are good that it does have 64-bit components in there and that they are being used on your 64-bit system.

You can easily check what bitness your background antivirus processes are running as by launching Resource Monitor. You just need to make sure the Platform column is showing (right click on any column then click on Select Columns...:

Resource Monitor

Look for your antivirus processes in the list see what bitness they're running as. You might find that the antivirus GUI runs as a 32-bit process, yet the engine itself runs as a 64-bit process. That's pretty common.

Let us know what you discover ;-)

misha256
  • 11,298
  • 6
  • 53
  • 69
  • Yes, just noticed that the antivirus' GUI module has a `*32` next to it but the shield module does not. – Salman A Dec 12 '14 at 08:49
  • @SalmanA Ah yes, you're seeing that in Task Manager? Seems like all is well then. On a 64-bit system, processes listed in Task Manager are all 64-bit *except* those with the *32 suffix (which, as you observed yourself, are the 32-bit ones). – misha256 Dec 12 '14 at 09:15