Typically, a computer system which is basically hardware is only functional after it is tied up with an operating system. One such widely used operating system is the Microsoft developed Windows system.
A 64-bit version of Windows system is one wherein all the core components and peripheral components are adapted to transmit, receive and work on 64-bit data. This version allows execution of 32-bit application. This is achieved by using a subsystem which executes the application viz., WOW64 which stands for Windows on Windows 64-bit. More appropriately, it can be put as 32-bit Windows subsystem on 64-bit Windows.
Dynamic-link library (DLL) is an implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems. A 32-bit process cannot load a 64-bit DLL and, similarly, a 64-bit process cannot load a 32-bit DLL. As the Windows system folder contains both the installed applications and their DLLs, it must be separated into a native system folder for the 64-bit applications (%windir%\system32) and a WOW64 folder for the 32-bit applications (%windir%\syswow64). Here %windir% is the Windows folder or more specifically Windows installation folder.
Developers often hard code the system folder path name in their application. Therefore, to preserve application compatibility, the 64-bit system folder is still called system32. To enable 32-bit applications that have hard-coded paths to transparently access the WOW64 system directory, the WOW64 layer provides a File System Redirector feature which redirects the 32-bit application's attempts to access (%windir%\system32) to the new WOW64 system directory (%windir%\syswow64).
A device may get infected by a virus through many sources including:                Floppy/CD/DVD drives: The virus, typically, spreads through boot sector of these drives.        Pen drives: The virus spreads through autorun feature of this drive.        Network: The virus spreads through network shares.        Internet: The virus spreads when infected websites are browsed.        
A memory scanner should detect virus which may have spread through any of the above mentioned media or scenario.
All accesses made by a WOW64 (32-bit) process to the %windir%\system32 directory are redirected to the %windir%\syswow64 directory. Therefore, with file system redirection enabled, a 32-bit application accesses the same contents for both the system32 and syswow64 directories. File system redirection is enabled for all WOW64 applications by default.
A windows system includes a core loading means (folder) which includes applications and processes that run on 32-bit operating systems.
Assuming c:\windows is the Windows folder, Launch.exe is a 32-bit application that will launch the target.exe. Target.exe which can be 32-bit or 64-bit application will be launched from c:\windows\syswow64\. Launch.exe launches target.exe by using the path c:\windows\system32\target.exe. Since launch.exe is a 32-bit application it will run under WOW64 and the path c:\windows\system32\target.exe will get redirected to c:\windows\syswow64\target.exe and the target.exe will run.
Typically, an Anti-Virus system having memory scanning function has a memory scanning means comprising:                enumerating means adapted to enumerate running processes;        defining means adapted to define the file path of the enumerated running processes; and        scanning means adapted to scan file obtained at the defined path.        
The main issue in the Anti-virus systems of the prior art deals with the defining means (typically, GetModuleFileNameEx in Windows system). The defining means gets the file path of the running processes, by which the process was run and not the actual file path from where the process is running. Hence, in the above example, it fetches the file path c:\windows\system32\target.exe (the file path which was used to run the process) instead of c:\windows\syswow64\target.exe (the actual file path from where the file is running).
Therefore, the 64-bit memory scanning means will scan c:\windows\system32\target.exe instead of c:\windows\syswow64\target.exe and hence skip the actual file. If target.exe is a virus file, then that won't be detected by the memory scanner means. This problem doesn't occur with 32-bit memory scanner means because when it tries to scan c:\windows\system32\target.exe it is automatically redirected to c:\windows\syswow64\target.exe thereby scanning the actual file.
A detailed flow of events in an Anti-Virus system of the prior art is illustrated in FIG. 1 and described herein below.
In accordance with a system of the prior art, an Anti-Virus system comprises:                an invoking means IVM that invokes a memory scan feature using a user interface;        an enumerating means EM that enumerates all running processes and the result of the enumeration is returned in the form of a list of the Process Identifiers or ProcessIds;        a selection means SLM that selects a ProcessId from the list generated by the enumeration means EM;        a handling means HM that provides a handle for opening the selected process;        a retrieving means RM that retrieves and defines the file path of the selected process in MS DOS path format;        a scanning means SCM that scans the file obtained at the defined path using the virus database which stores a plurality of virus signatures;        an iteration means ITM that continues the steps starting from selecting a ProcessId from the list generated by the enumeration means EM upto scanning until each and every ProcessId has been selected at least once.        
The retrieving means RM used in the Anti-virus systems known in the art use the GetModuleFileNameEx function for retrieving the file path. Thus the file path retrieved is the file path that is used to run the process and not the actual file path of the running process.
Several attempts have been made to make the Anti-virus systems known in the art more efficient. For instance, U.S. Pat. No. 6,802,028 discloses an interface that provides a first access path to the storage medium and a detector that provides a second access path to the storage medium and an analyzing step that detects a virus by identifying an inconsistency between storage locations accessed using the two paths and removing means to remove the virus from the computer system.
Furthermore, US Patent Application 2006/0265749 discloses a method to scan and remove viruses present in thread areas. It searches a list of threads, associated with the infected process and scanning and disinfecting the searched file wherein scanning of infection and the disinfection procedure is carried out for thread areas of the memory.
Again, US Patent Application 2009/0038011 discloses a method which comprises the steps of storing the executable file with the stored information, determining via the detection module whether there is any difference between the executable file and the stored information and replacing the removal executable file with the copy of the malware free executable file.
Although attempts including those mentioned herein above have improved the working of Anti-Virus systems, there is still a need for a system that can provide accurate protection for systems with 64-bit editions of operating systems.