I have looked at a few other questions related to this but nothing specifically answered what I was wondering about.
Say for example you have a server that is infected with a php shell such as c99. I have googled around and seen scripts that remove shells named r57, c99 etc. So my question is; is the only way these scripts catch the shells is by looking for common shell names? If so couldn't someone just recode it using alternative names? I understand also use ClamAV to find shells but are catching shells limited to just this? Is there something like a Windows AV that looks at files that are acting out of the ordinary etc?
Thank you so much for any form of input.
