sobiloff@thor.acc.stolaf.edu (Blake Sobiloff) (03/20/89)
Sorry to take up bandwith with this, but I can't seem to get any mail to Chris Johnson, the author of GateKeeper. The address I've tried is: chris@au-emx.UUCP and it always bounces back with the message that emx is not a valid site. Does anyone have a working address. Thanx -- * Blake "Hey, where's *MY* fancy footer?" Sobiloff * * "Meet me in a restaurant..." or call me at- * * sobiloff@thor.acc.stolaf.edu *
ajauch@bonnie.ics.uci.edu (Alexander Edwin Jauch) (11/30/89)
In response to the question (#24755) about virus watchdogs, have you tried using the SUM package? It does allow you to "allow" "deny" or "learn" a resource modification. It seems to work fairly well. At least, I have had no successful invasions of my system while using it (which means nothing of course). Disclaimer: I have no ties to Symantec other than user. Alex Jauch UCI, AIS Quick: ajauch@bonnie.ics.uci.edu Dirty: eaiu078@orion.ics.uci.edu
dplatt@coherent.com (Dave Platt) (12/13/89)
In article <4227@sbcs.sunysb.edu> vallon@sbmiclr.cs.sunysb.edu (Justin Vallon) writes: > My original suggesstion was to have a new privilidge for "Code"-containing > resources, and "Safe" resources. This way, we could give almost everybody > "Safe" privilidges without worrying, and "Code" resources to only certain > programs (F/DA Mover, Compilers, ResEdit, etc). GateKeeper already works this way. It maintains a list of resource- types which can contain code, and resource-types known to be viral (e.g. "nVIR"). It vetoes attempts to store code-containing resources by any program which doesn't have the necessary permissions. Resources that aren't on the "contains code" or "is viral" lists are not subject to GateKeeper veto. Period. The same is true of Vaccine; I believe that it's also true of SAM Intercept, the Virex INIT, and perhaps others. It would make no sense at all for any antiviral INIT to veto all resource changes by unapproved applications. This would break a LARGE number of perfectly valid applications... every text-file editor in the world, for example, and the Chooser, and the LaserWriter driver, and so forth. I have never heard of any INIT which tried to block all resource changes. > I have a question. Does GateKeeper only intercept calls to resource > modifications of code-containing resources, or all resources? It intercepts them all. It vetoes only those that could contain code or are known to be viral. > If GateKeeper > only traps code-containing resource modifications, then why is it necessary > to give the Finder Res/Other privilidges? It isn't. You must give the Finder File/Other permission, so that the Finder can create and copy applications, INIT files, Control Panel files, and so forth. The help-info states specifically that the Finder should not be granted Res privileges... it does not need them. > I was under the impression that > GateKeeper traps all resource modifications, hence the necessity for Res/ > Other privilidges for the Finder. See above. > Unfortunately, I don't think the documentation gives any indication about > (a) whether it traps all resources, or (b) if not all, then the ones that > it does trap. The online Help info makes it states that the Res privilege "... is concerned with... resources in which the component(s) of a program are stored. Operations on other types of resources are not controlled". It also describes (under "Advanced configuration") how to examine and modify the list of resource-types in the "contains code" and "known to be viral" categories, as well as the list of file-types ("APPL", etc.) that are known to contain code. Perhaps you might read through GateKeeper's on-line help info? It's quite good, and describes the GateKeeper design approach in excellent detail (without giving away details of how GateKeeper is implemented... which is very much as it should be!) A handful of informed knowledge is worth a bushel of uninformed speculation... -- Dave Platt VOICE: (415) 493-8805 UUCP: ...!{ames,apple,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303