jca@pnet01.cts.com (John C. Archambeau) (05/25/90)
guevin@hq.af.mil (P.R.Guevin) writes: >I have a system which is in a rather public area. Quite a lot of people >use it. As a result, there is quite a potential for problems. > >What I am looking for is anything that can write protect a hard-drive >on a DOS based PC. > >Does anyone know of anything that will work (hardware and/or software)? The only thing I can think of is a shareware program called HDSENTRY. What it does is disable the interrupt for all writes to the hard drive. It beeps and prints a message everytime a write to a hard drive is attempted. Only way out of HDSENTRY is to reboot. This works fine from DOS. I don't know if the program is available anymore. Check simtel20.arpa to see if they still have it in their archives. Only other option is to write your own program that will disable DOS writes to a hard drive. // JCA /* **--------------------------------------------------------------------------* ** Flames : /dev/null | Small memory model only for ** ARPANET : crash!pnet01!jca@nosc.mil | Unix? Get the (*bleep*) out ** INTERNET: jca@pnet01.cts.com | of here! ** UUCP : {nosc ucsd hplabs!hd-sdd}!crash!pnet01!jca **--------------------------------------------------------------------------* */
mathrich@mthvax.cs.miami.edu (Rich Winkel) (05/26/90)
There is a way to do it in hardware, although I've never tried it myself: The signals in question are called 'write gate' and 'write fault'. The first is signalled by the disk controller to tell the drive to enable the write circuitry, the second is signalled by the disk to tell the controller that the write failed. On an XT, write-gate is wire 6 on connector J1, write-fault is wire 12 on J1. The idea is to wire a switch between the controller and drive so that, in the normal position, these lines run straight through, and in the protected position, the WG line from the controller is connected to the WF line from the controller, the WG line from the drive is grounded, and the WF line from the drive is disconnected. For this you need a triple pole double throw toggle switch wired like so: Drive side Controller side _________________ | | x x\ x _________ \ WG | \ WG x x \ x---------- ________________| \ WF \ WF x x \x---------- | | ------- ----- --- - The x's are the solder lugs on the back of the switch. The up position would be normal, down would be protected. (the inverted triangle under the lower left 'x' means 'grounded'. A convenient ground on the XT is line 1 on connector J1) Like I said, I've never done it, but I've been told it works, and it looks right on paper :-). Rich
frisk@rhi.hi.is (Fridrik Skulason) (05/27/90)
Forget about software solutions - they are not 100 % reliable. There are many programs out there that claim to be able to write-protect hard disks, HDSENTRY is an example, but they just don't work. -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |
dave@compnect.UUCP (Dave Ratcliffe) (05/29/90)
In article <1733@krafla.rhi.hi.is>, frisk@rhi.hi.is (Fridrik Skulason) writes: > Forget about software solutions - they are not 100 % reliable. There are > many programs out there that claim to be able to write-protect hard disks, > HDSENTRY is an example, but they just don't work. Agreed.... ANY software write protect can be spoofed around with a little dedicated hacking. Here's something to check for though.... SOME hard drives come with a write protect capability built in. All the user need do is move a jumper on the logic card. We are running 2 Maxtor 1100 series drives on a Unix system and BOTH have this capability. A quick call to the manufacturer should determine if the drive in question has this option. *>> Dave <<* [------: Dave Ratcliffe :--------:-: 2832 Croyden Rd. Harrisburg Pa. 17104 :-] : dave@compnect.uucp -or- : The Data Factory BBS : : uunet!wa3wbu!compnect!dave : Data: (717)657-4997 - (717)657-4992 : [................................:...........................................]
georgen@gpu.utcs.utoronto.ca (G. Ng) (05/30/90)
In article <1733@krafla.rhi.hi.is> frisk@rhi.hi.is (Fridrik Skulason) writes: >Forget about software solutions - they are not 100 % reliable. There are >many programs out there that claim to be able to write-protect hard disks, >HDSENTRY is an example, but they just don't work. What is it about HDSentry that makes it not 100% reliable? I've been using it on my PC and it works fine for me. Do you mean that certain viruses or trojans are able to circumvent HDSentry's protection scheme? Hmm... -- George Ng (Univ. of Toronto, Comp Sci) |"Sure, I would like Canadian HOME: uunet!mnetor!{becker,hybrid}!spocom!gng | winters too - if it weren't WORK: georgen@gpu.utcs.utoronto.ca | for the weather..."
jfbruno@rodan.acs.syr.edu (John Bruno) (05/30/90)
In article <1990May29.192755.7817@gpu.utcs.utoronto.ca> georgen@gpu.utcs.utoronto.ca (G. Ng) writes: >In article <1733@krafla.rhi.hi.is> frisk@rhi.hi.is (Fridrik Skulason) writes: >>Forget about software solutions - they are not 100 % reliable. There are >>many programs out there that claim to be able to write-protect hard disks, >>HDSENTRY is an example, but they just don't work. > >What is it about HDSentry that makes it not 100% reliable? I've been using >it on my PC and it works fine for me. Do you mean that certain viruses or >trojans are able to circumvent HDSentry's protection scheme? Hmm... >-- >George Ng (Univ. of Toronto, Comp Sci) |"Sure, I would like Canadian >HOME: uunet!mnetor!{becker,hybrid}!spocom!gng | winters too - if it weren't >WORK: georgen@gpu.utcs.utoronto.ca | for the weather..." You can't trust these things because someone can just stick a floppy disk in drive A: and boot it, thereby overriding your software level protection. ---jb
frisk@rhi.hi.is (Fridrik Skulason) (05/30/90)
In article <1990May29.192755.7817@gpu.utcs.utoronto.ca> georgen@gpu.utcs.utoronto.ca (G. Ng) writes: >What is it about HDSentry that makes it not 100% reliable? I've been using >it on my PC and it works fine for me. Do you mean that certain viruses or >trojans are able to circumvent HDSentry's protection scheme? Hmm... That is just what I mean. In my virus collection (which now contains over 100 different PC viruses) there are three or four that are able to write to the hard disk, even if a "write-protecting" interrupt monitoring program like HDSENTRY is installed, as they simply jump directly into ROM. I have a program that is also able to stop those viruses, but it too could easily be circumvented if the virus writer knew just what method was used. -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |
fyl@ssc.UUCP (Phil Hughes) (05/31/90)
Guess the summary says it all. Of course, I assume you are running
UNIX on the PC.
--
Phil Hughes, SSC, Inc. P.O. Box 55549, Seattle, WA 98155 (206)FOR-UNIX
uunet!pilchuck!ssc!fyl or attmail!ssc!fyl (206)527-3385georgen@gpu.utcs.utoronto.ca (G. Ng) (05/31/90)
In article <3554@rodan.acs.syr.edu> jfbruno@rodan.acs.syr.edu (John Bruno) writes: >You can't trust these things because someone can just stick a floppy disk >in drive A: and boot it, thereby overriding your software level protection. Thanks for the info. I also received numerous replies through email about why HDSentry (and probably other similar software-based write protect prgs) doesn't necessarily work. It all came down to the fact that software can defeat software. I'm sorry that I don't remember all the names of the people that replied through email but you know who you are :-) Thanks again for clearing things up. -- George Ng (Univ. of Toronto, Comp Sci) |"Sure, I would like Canadian HOME: uunet!mnetor!{becker,hybrid}!spocom!gng | winters too - if it weren't WORK: georgen@gpu.utcs.utoronto.ca | for the weather..."
it1@ra.MsState.Edu (Tim Tsai) (05/31/90)
> Thanks for the info. I also received numerous replies through email about > Why HDSentry (and probably other similar software-based write protect prgs) > doesn't necessarily work. It all came down to the fact that software can > defeat software. > -- > George Ng (Univ. of Toronto, Comp Sci) |"Sure, I would like Canadian A friend runs a password type program on his hard drive (it's either shareware or public domain, I can't remember). This program actually scrambles the FAT table, so booting from the floppy drive would not do any good. The only solution I can think of to crack his system is to trace the device driver (the program is loaded via config.sys), which I suspect is very tricky. He found it in one of the local bulletin boards. Send me e.mail and I'll find out what the name of the program is and maybe where to find it. Note that I wouldn't trust my computer with something like this. What happens if you lose power WHILE it's scrambling the FAT table????? I shudder to think. (I guess the program can keep a copy of the FAT somewhere, but that probably defeats the purpose. I also suspect that something like Norton Utilities wouldn't work if his hard drive happened to crash). If I ever have to lock out access to my computer, hardware is definitely the only way to do it. -- Tim Tsai it1@ra.msstate.edu
jca@pnet01.cts.com (John C. Archambeau) (06/01/90)
georgen@gpu.utcs.utoronto.ca (G. Ng) writes: >In article <1733@krafla.rhi.hi.is> frisk@rhi.hi.is (Fridrik Skulason) writes: >>Forget about software solutions - they are not 100 % reliable. There are >>many programs out there that claim to be able to write-protect hard disks, >>HDSENTRY is an example, but they just don't work. > >What is it about HDSentry that makes it not 100% reliable? I've been using >it on my PC and it works fine for me. Do you mean that certain viruses or >trojans are able to circumvent HDSentry's protection scheme? Hmm... The only way for it to get around HDSENTRY would be to restore the hard drive write interrupt and the trojan/virus would have to be intelligent enough to know that the interrupt has been bypassed. Sorry, but I think such software solutions do work, especially if they intercept interrupts. // JCA /* **--------------------------------------------------------------------------* ** Flames : /dev/null | Small memory model only for ** ARPANET : crash!pnet01!jca@nosc.mil | Unix? Get the (*bleep*) out ** INTERNET: jca@pnet01.cts.com | of here! ** UUCP : {nosc ucsd hplabs!hd-sdd}!crash!pnet01!jca **--------------------------------------------------------------------------* */
frisk@rhi.hi.is (Fridrik Skulason) (06/01/90)
>>I write: >>>Forget about software solutions - they are not 100 % reliable. In article <2935@crash.cts.com> jca@pnet01.cts.com (John C. Archambeau) writes: >The only way for it to get around HDSENTRY would be to restore the hard drive >write interrupt and the trojan/virus would have to be intelligent enough to >know that the interrupt has been bypassed. Sorry, but I think such software >solutions do work, especially if they intercept interrupts. They don't work, even if they intercept interrupts. Many "write-protecting" programs only intercept INT 13, but it is easy to write to the hard disk without using INT 13, so monitoring it won't help. As a matter of fact, there are two or three Bulgarian viruses able to do it already. -frisk -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |
pnl@hpfinote.HP.COM (Peter Lim) (06/03/90)
WAIT A MINUTE !!! WHAT ARE WE DISCUSSING HERE !!!!!??????
I thought the original intend is to WRITE protect the hard disk so that
no program (especially virus) can write to the hard disk.
Now, in my opinion, program like (what's the name) which write-protect
the hard disk behaves like a virus in itself --- scramble the FAT, and
allow you only to write to disk through that program. If that program
ever crash, you hard disk is history. Don't even think about recovering
it with things like NORTON's.
A non-sophisticated virus only need to know how to by-pass that program
and thrash your disk. It doesn't need to know how to handle your disk
properly :-). So, this stuff is pretty much useless against a virus.
Sounds more like a hindrance to normal programs. I know of someone who
used something similar and had to reformat his hard disk 3 times
because he forgotten the password :-(.
Why don't we try a hardware approach ? Find the WRITE line in your
hard disk cable, cut it and insert a simple switch to disable it at
the flick of a switch. This ought to be bullet-proof as long as you
can ensure that nothing strange happen the moment you flick the switch.
Of course, before doing this, do a full backup of your disk, then if
you make a total boo-boo, you only need to replace the cable :-).
To think of installing a virus on my computer ??? Remember the bad old
days of protected software which encrypt something on you hard disk
to ensure that only one copy is installed at any one time ? Ended up
with lots of disgusted users who trashed their hard disk and found that
they can't install the program again :-).
Just a .02 dollars' thought.
Regards, ## Life is fast enough as it is ........
Peter Lim. ## .... DON'T PUSH IT !! >>>-------,
########################################### :
E-mail: plim@hpsgwg.HP.COM Snail-mail: Hewlett Packard Singapore, :
Tel: (065)-279-2289 (ICDS, ICS) |
Telnet: 520-2289 1150 Depot Road, __\@/__
... also at: pnl@hpfipnl.HP.COM Singapore 0410. SPLAT !jca@pnet01.cts.com (John C. Archambeau) (06/03/90)
frisk@rhi.hi.is (Fridrik Skulason) writes: >They don't work, even if they intercept interrupts. Many "write-protecting" >programs only intercept INT 13, but it is easy to write to the >hard disk without using INT 13, so monitoring it won't help. As a matter of >fact, there are two or three Bulgarian viruses able to do it already. I stand corrected. After the explanation of how a trojan/virus bypasses the interrupt, I can easily see how it would work. The only connection that I couldn't quite make (which was explained to me in e-mail) is how the virus gets the address for the far write call. That's the problem with not using DOS or only using it under DOSWindows or VP/ix. You forget so easily that you can get around an interrupt vector. To your knowledge, will any of these trojan/viruses function as the author intended under Unix applications such as DOSMerge or VP/ix? My instinct about it is no since they're applications under a protected mode OS, but I would like to hear from somebody with experience in this matter. And what about situations such as the user who uses Concurrent DOS or PC-MOS? Are those of us who run DOS sessions that run in virtual 8086 mode safe from these MS-DOS viruses or are these trojan/virus writers starting to venture in to that area? My initial answer, personally, is inclined to be no since the virus has to bypass the protection that the 80386[DS]X gives you. It is probably possible to get around the protection if you know the OS well enough, but from what I've read on the 386 thus far, it would not be easy. // JCA /* **--------------------------------------------------------------------------* ** Flames : /dev/null | Small memory model only for ** ARPANET : crash!pnet01!jca@nosc.mil | Unix? Get the (*bleep*) out ** INTERNET: jca@pnet01.cts.com | of here! ** UUCP : {nosc ucsd hplabs!hd-sdd}!crash!pnet01!jca **--------------------------------------------------------------------------* */