I consider myself reasonably familiar with the APIs that ship with Windows and I'm surprised whenever I come across some new API that I had never heard of before.
In a lunch discussion with Aarthi yesterday, I mentioned Firefox 3's virus scanning. Browsers have done this in the past (IE7 does it silently and prompts if it finds something evil) but seeing the explicit notification gave me a sense of security.
We got into a debate over how Firefox must have implemented it. My first guess was that Firefox must be using some online service which checks URLs - this would be similar to how all modern browsers support anit-phishing. However, that doesn't make sense when you consider how compute intensive virus scanning is. Doing it as a service for a popular browser would be a non-trivial effort.
I did some digging later and found this bugzilla bug which pointed me to the right path. It turns out that Windows has *2* in-built APIs to scan files for viruses. Relatively unknown (atleast to me), they wrap around the installed virus scanner.
The first one if IOfficeAntiVirus and the other is IAttachmentExecute. IAttachmentExecute, which is supported on XP SP2 and upwards, IAttachmentExecute (which is used by IE6 and 7 ) does a lot of magic behind the scenes - from supporting NTFS alternate streams to enumerating the installed virus scanners for you.
I'm amazed at the breadth of APIs you find across Windows!
