thats different to analysing the packets as they come though a firewall though, cos ur in effect anaylsing on the fly and that would require quick processors and even quicker access to pattern files,

if you think that a virus scan on a local computer can take upwards of 15minutes do you really want to have all you zips/exes/com files you download begin 15minutes after you first requested it? That might be acceptable if you downloading files over night.

although if you had a libary full of patterns of virii in transit as string text, to match against that would take a long time depending on quickess of the search, maybe by holding the strings in ram, 1 think you could do this with 1gb of ram.

i think some clever modification of something like ethereal would work.

what happens if the virii is inside a zip file, its falled then and for every type of other way of transporting it (zip, rar, binded to image) your gonna change the pattern

i2c