ts@uwasa.fi (Timo Salmi LASK) (08/13/90)
We recently placed (/pc/virus/)scanv66.zip for anonymous ftp
download from chyde.uwasa.fi, Vaasa, Finland, 128.214.12.3.
McAfee has benefited the PC community with excellent virus
checking facilities, but the new scanv66.zip includes a potentially
dangerous and controversial feature. To quote:
"This version of SCAN has added an option to
transparently attach a CRC validation code to all of
your executable files, your boot sector and your
partition table. This will help protect your system in
case a virus unknown to SCAN is encountered. SCAN will
check these validation codes if requested and will
alert the user to any files or system areas that have
changed."
Now there are two problems with this approach. On the practical
side this method destroys a program's own virus selftest, if it has
one inbuilt based on checksums. I may have made mistakes, but when
I tried scan /av out on two selftesting programs, the code that scan
attached naturally caused an alarm. But what is really alarming is
that when I told scan to remove its code, the selftest failed even
after that. This means that unless I made an error, scan could not
restore the files to their exact original state! The option /rv did
not work in my tests.
The second problem is one of principle, and is best left for
legally minded persons to work out, but let me point out the
dilemma. What McAfee's scan does is that it certifiably adds code
to the host program, if the user so chooses. Now this is tantamount
to patching, and very strictly speaking pacthing (at least
copyrighted commercial) programs may involve problems of legality.
I think that this is something McAfee should have cleared very
carefully before releasing this potentially compromising method.
Having such a good reputation, McAfee has at least taken a public
risk here. I really do not know, but be that as may, the method has
too much virus-resemblance for comfort.
...................................................................
Prof. Timo Salmi (Moderating at anon. ftp site 128.214.12.3)
School of Business Studies, University of Vaasa, SF-65101, Finland
Internet: ts@chyde.uwasa.fi Funet: gado::salmi Bitnet: salmi@finfun