kevin@perle.UUCP (Kevin Pickard) (04/05/89)
Anyone out there have any experience with vaccination
programs for IBM Compatible PCs? In particular, I am look-
ing for something that can detect modified or corrupted
files on a system that may have been infected with a virus.
It would also be nice if the program could detect corruption
as it happens (maybe as a TSR).
So far, I have seen the following programs:
Antidote
This program is from Quaid Software here in Toronto and
it does a pretty good job. It computes a CRC for the
specified files and writes this information out to
disk. When run again in "examine" mode, it recomputes
the checksums and compares them with the recorded
values. Any differences are flagged.
FILECRC
This program is from USENET. It also computes check-
sums and records them to disk. A separate program
called COMPARE must then be run to verify the check-
sums. Again differences are flagged.
Both of these programs use a CRC method for catching
modified files. The program "Antidote" appears faster and
has a cleaner user interface. It only uses one program and
maintains a single file. It also allows you to specify
which files you want to monitor.
The program "FILECRC" appears slower and needs a second
program called "COMPARE" to verify the files. The user
interface is cruder. It has the advantage of detecting more
types of differences though. For example, it also detects
file access date/time changes. With this though it also
creates more output files (about 5 if I remember).
Unfortunately, both of these programs can be fooled by
a virus that knows what CRC is being used. Programs that
can vary their method of CRC computation would be more
robust.
If anyone has used any of these programs or knows of
something similar I would appreciate hearing from you. I
will summarize any information I receive.
--
------------------------------ ~~~~~~~ ---------------------------------------
Step 5: After filling needle | o o | Kevin Pickard
inject vaccine into disk. | . | UUCP: ...!uunet!mnetor!perle!kevin
--------------------------^^^-----------^^^-----------------------------------ejb@think.COM (Erik Bailey) (04/06/89)
I can vounch for FluShot+. The author (who I know personally) is Ross Greenberg, who until recently was Sysop of PC MagNet. The current version is (I believe) v1.51, and can be downloaded from the author's bulletin board at (212) 889-6438. FluShot was one of the first anti-virus programs, and is probably the best shareware one ($10) -- it's better than most commercial ones (who would pay eighty bucks for something of this genre???). Highly recommended. --Erik Erik Bailey | CompuServe | 7 Oak Knoll | (ARPA/USENET courtesy of ejb@think.UUCP | PCMagNet | Arlington, MA 02174 | Thinking Machines Corp., ejb@think.com | 72241,105 | (617) 643-0732 | First St, Cambridge, MA) do headache -> take 1 aspirin od "This terminates one way or another" -Dijkstra
hartung@amos.ling.ucsd.edu (Jeff Hartung) (04/07/89)
I am very happy with CHECKUP 2.1, which I got from SIMTEL20.arpa. It is shareware, but you need pay only if you are a commercial organization. Otherwise you are able to register for free. It calculates CRC's using several different algorithms, so any virus that might be able to make a program pass all the CRC checks through character padding, etc. would also make the program not run. --Jeff Hartung-- Disclaimer: My opinions only, etc., etc., BLAH! BLAH! BLAH!... Internet - hartung@amos.ling.ucsd.edu UUCP - ucsd!amos.ucsd.edu!hartung
dani@ritcsh.UUCP (Dani Kadoch) (04/07/89)
In article <552@perle.UUCP> kevin@perle.UUCP (Kevin Pickard) writes: > Anyone out there have any experience with vaccination >programs for IBM Compatible PCs? The best one I've seen is Flushot+. Even though it is shareware, it is pretty infallible (sp?). I have tried a few things myself, but the program catches them. (see below) > In particular, I am look- >ing for something that can detect modified or corrupted >files on a system that may have been infected with a virus. It will check any files you specify (tipically executables) any time you run them, using CRC. >It would also be nice if the program could detect corruption >as it happens (maybe as a TSR). It will keep a log of what interrupts are taken by what program, and pop-up a window saying so if it is not a program you have OKed. Once the window is up, you can stop or continue the execution of the suspect program. A similar window will pop-up any time the suspect program tries to write directly to disk unsing INT 25 (for HDs) or 13 (floppies.) > Unfortunately, both of these programs [Quaid Software's Antidote and FILERC from usenet] > can be fooled by >a virus that knows what CRC is being used. Programs that >can vary their method of CRC computation would be more >robust. I am not sure if Flushot does this or not, but it also checks the size of the file, which is bound to be changed with the introduction of a virus. I tried writing a couple of programs to see how I could trick flushot, and get control of the machine, and I succeeded, but I ended up not being able to do any disk writing without Flushot knowing about it. It traps all the critical (potentially dangerous) interrupts very well. I highly recommend this program. Its documentation is _very_ complete and gives you a good insight about viruses and worms too. Dani. -- /-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\ > Dani Kadoch @ Computer Science House @ Rochester Institute of Technology < > USMail: Box 1186 25 Andrews Memorial Dr, Rochester, NY 14623 (716)475-3307 < > UUCP:..!rochester!rit!ritcsh!dani MCIMail:dani BITNET:dnk8842@ritvax <