Michael.Pearce@f444.n161.z1.FIDONET.ORG (Michael Pearce) (07/02/89)
John, I thank you for Disinfectant. I would like to make a suggestion, though: Can you modify the next version so that an infected copy will still work? The first version of Virex would, and I evolved a method of "bootstrapping" oneself from an infected HD to a clean one thusly: Duplicate infected copy. Duplicate infected System/finder and store in folder on floppy, another partiiton or, if desperate, right there on the hard disk. Use the infected copy to clean up the duplicate copy, the Finder and the duplicate System and Finder. Upon quitting, the first Finder becomes re-infected. Copy the cleaned application, system and finder to a floppy, lock the floppy and reboot. Finish cleaning the hard disk. Yes, I know, one should always have a floppy prepared for infection, but if Disinfectant would only work while contaminated, someone might be able to save their ass. Only a suggestion. Feedback? -- ------------------------------------------------------------- FidoNet: 1:161/445 UUCP: sun!apple!bmug!<User.Name> INTERNET: bmug!<User.Name>@apple.COM or <User.Name>@bmug.fidonet.org USNAIL: BMUG, 1442A Walnut St. #62, Berkeley, CA 94709-1496 ------------------------------------------------------------- BMUG ARPANET ADDRESSES: Newsletter submissions: pub@bmug.fidonet.org Membership or business: biz@bmug.fidonet.org Information: info@bmug.fidonet.org Help Line Questions: help@bmug.fidonet.org
Michael.Pearce@f444.n161.z1.FIDONET.ORG (Michael Pearce) (07/02/89)
John, I thank you for Disinfectant. I would like to make a suggestion, though: Can you modify the next version so that an infected copy will still work? The first version of Virex would, and I evolved a method of "bootstrapping" oneself from an infected HD to a clean one thusly: Duplicate infected copy. Duplicate infected System/finder and store in folder on floppy, another partiiton or, if desperate, right there on the hard disk. Use the infected copy to clean up the duplicate copy, the Finder and the duplicate System and Finder. Upon quitting, the first Finder becomes re-infected. Copy the cleaned application, system and finder to a floppy, lock the floppy and reboot. Finish cleaning the hard disk. Yes, I know, one should always have a floppy prepared for infection, but if Disinfectant would only work while contaminated, someone might be able to save their ass. Only a suggestion. Feedback? Thanks, Michael Pearce, Portland, OR. -- ------------------------------------------------------------- FidoNet: 1:161/445 UUCP: sun!apple!bmug!<User.Name> INTERNET: bmug!<User.Name>@apple.COM or <User.Name>@bmug.fidonet.org USNAIL: BMUG, 1442A Walnut St. #62, Berkeley, CA 94709-1496 ------------------------------------------------------------- BMUG ARPANET ADDRESSES: Newsletter submissions: pub@bmug.fidonet.org Membership or business: biz@bmug.fidonet.org Information: info@bmug.fidonet.org Help Line Questions: help@bmug.fidonet.org
jln@accuvax.nwu.edu (John Norstad) (07/18/89)
Michael Pearce writes: > I thank you for Disinfectant. You are welcome. Since I released Disinfectant several months ago I've gotten tons of mail from people thanking me for the program, and it's been very gratifying. I'm very happy that it has helped so many people. > I would like to make a suggestion, though: Can you modify the > next version so that an infected copy will still work? > > ... Description of a "bootstrapping" process to get from an > infected system, including an infected copy of Disinfectant, to > an uninfected system, including an uninfected copy of > Disinfectant. As you are aware, when Disinfectant is run it checks itself to see if it has been modified. If a change is detected, an alert is presented informing the user that the copy of Disinfectant has been damaged, infected by a virus, or otherwise modified. The user is advised to obtain a new "clean" copy, and the user is not permitted to use the "damaged" copy. Although your description of a "bootstrapping" method is sound, I still hesitiate to permit users to use a modified copy of Disinfectant. It's simply too dangerous. The program may have been damaged in such a way that it can no longer function properly, resulting in failure to properly detect and repair infected files, system crashes, or other unexpected behaviour. The only safe thing to do in this case is refuse to permit the user to run the program. I put in the check for several reasons - to detect infections by viruses, to detect tampering by humans or other programs, and to detect damage of other kinds (bad disk copies, etc.). The check is quite thorough - I compute two different kinds of checksums of the entire resource fork of the program file (minus the part of the header that can vary legitimately from copy to copy). In fact, none of the current crop of Mac viruses can infect Disinfectant 1.1, due to other protective measures I've taken in the program. I've verified this both analytically and by experimentation. Thus, if you get the "damaged" alert it probably doesn't mean that Disinfectant has been infected, but rather that the copy has been damaged in some other way. In this case your bootstrapping process probably wouldn't do any good. Again, especially in this case, I don't want to let the user run the program - I know I've been modified, and I have no way to know how dangerous the modification might be. Another problem with permitting a modified copy of Disinfectant to be run is that I'd have to try to document the problem. I'm afraid that describing the details of your bootstrapping method to the average Mac user without causing massive confusion would be impossible. In general, I've tried to take a very conservative approach in Disinfectant, based on the "better safe than sorry" principle, and I think this is one of the program's virtues. Checking myself and refusing to run if I detect any kind of change is just one example of this principle. John Norstad Northwestern University jln@ancs.nwu.edu
David.Bolduc@f54.n382.z1.FIDONET.ORG (David Bolduc) (07/21/89)
Please add my name to those who thank you for Disinfectant. Please keep it
up!
-david-
--
David Bolduc via cmhGate - Net 226 fido<=>uucp gateway Col, OH
UUCP: ...!osu-cis!n8emr!cmhgate!382!54!David.Bolduc
INET: David.Bolduc@f54.n382.z1.FIDONET.ORGminkus@lesath.usc.edu (Bob Minkus) (07/28/89)
In article <16622.24C919BD@cmhgate.FIDONET.ORG> David.Bolduc@f54.n382.z1.FIDONET.ORG (David Bolduc) writes: >Please add my name to those who thank you for Disinfectant. Please keep it >up! > -david- That's a big ditto from me to. Do you have a site license policy, ie. ~10 Mac's? Are you at the same address that's on the program, so I can send a more tangible thank you. Bob Bob Minkus -- USC University Computing Services uucp: uunet!usc!minkus bitnet: minkus@gamera internet: minkus@usc.edu
jln@accuvax.nwu.edu (John Norstad) (07/28/89)
In article <18834@usc.edu> minkus@lesath.usc.edu (Bob Minkus) writes (about Disinfectant): > Do you have a site license policy, > ie. ~10 Mac's? Are you at the same address that's on the program, > so I can send a more tangible thank you. Disinfectant is free, so there's no need for a site license. Yes, I'm at the same address that's on the program. John Norstad. Northwestern University. jln@acns.nwu.edu
dawyd@gargoyle.uchicago.edu (David Walton) (07/29/89)
Add my thanks to the list. I work in a lab with about 30 + Pluses and IIs, which is open to the entire undergraduate community. Since users frequently (and one hopes, unwittingly) remove the virus protection from our disks (hard and floppy), our software gets infected with alarming regularity. Disinfectant has been a godsend in keeping the epidemic down. Thanks for all of your work to keep us comp.mac.users virus-free. David Walton All of my opinions are my own.