I noticed KIS occasionally makes SQL calls to MS SQL Server. It sends a SELECT for each database on the server looking for rows from sys.assemblies. I’m assuming it’s able to access MSSQL and the databases using the elevated permissions granted to the KIS app. I can understand anti-virus apps checking the CLR assemblies for malware, but this approach via SQL seems unusual to me.
Can anyone provide any insight on this?
Best answer by Wesly.Zhang
From my friend, He said there are the SQL Server Transact-SQL none file attack could be used in SQL sys.assembly_files to store malicious content. ExecCode id point to malicious content in sys.assembly_files table. So avp scan use this way to search threats in sql server. This is correct.