76476.337@CompuServe.COM (Robert McClenon) (06/25/91)
I just discovered after twenty minutes of unpleasantness that
SETVER.EXE, a feature of DOS 5.00, is implemented via SELF-MODIFYING
CODE. The SETVER command is used to fake out applications which check
the version of DOS. It seems that, rather than maintain a data file
separate from the .EXE file, Microsoft has chosen to implement
SETVER.EXE as a program which modifies itself whenever it is executed,
so as to change a table that is part of itself.
This is very unfriendly behavior for users who try to maintain
any sort of discipline to control viruses, or any of various other
sorts of discipline. Virex-PC gave me multiple alerts telling me that
SETVER was trying to alter SETVER. Since the syntax of SETVER is a
little peculiar and complex, I at first assumed that I had entered the
command wrong and was doing something improper and that Virex-PC was
protecting me from a mistake. It took me a while to realize that
SETVER was REALLY trying to MODIFY itself and that Virex-PC was trying
to protect me from a technically legitimate but undisciplined
operation.
Is anyone from Microsoft on this distribution list? Would they
care to explain why they did such an undisciplined thing?
Robert McClenon
Neither my employer nor anyone else paid me to say this.padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) (06/26/91)
>From: Robert McClenon <76476.337@CompuServe.COM> > I just discovered after twenty minutes of unpleasantness that >SETVER.EXE, a feature of DOS 5.00, is implemented via SELF-MODIFYING >CODE. Actually, this is much better than earlier (beta) verions in which SETVER modified other things (even nastier). Since I did not bother to install SETVER, this is not a problem for me and have not yet run into an application/game/etc that requires its use. Though I have heard rumors of such programs. Further, one one teaches SETVER which (shouldn't be many) programs require DOS to report/act like a different version to work, SETVER should not be changing unless a new non-conforming program is added. Even so, the rate should not be a problem, & the user should know that something "legal" was done. For some time, my feeling has been that "intelligent" anti-viral software should be able to recognize when a program is allowed to write to itself (SETVER, LIST) or to a limited subset of other programs (WSCHANGE - WORDSTAR) & notify the user but not make a fuss about it. Now if SETVER tries to modify LIST, I would be concerned, but not when it modifies itself when I ask it to. To me, strict checksum coverage of 98% of my files is "good enough" (quantum economics) that not much safety would be lost if the other 2% were permitted LIMITED privilege with notification. Heck, the whole concept of "privilege" receives only lip service (and much obfustication) from DOS. IMHO, it would seem that MicroSoft had a choice: let SETVER modify system files (tried & rejected in beta), a separate data file (possible but must always be able to find it), or itself. Given all the variables, I think they probably made the most efficient (but not necessarily the most popular to anti-virus program writers) decision. Cooly, Padgett Might be some one else's opinion also but probably not my employer's.
p1@arkham.wimsey.bc.ca (Rob Slade) (06/28/91)
76476.337@CompuServe.COM (Robert McClenon) writes: > This is very unfriendly behavior for users who try to maintain > any sort of discipline to control viruses, or any of various other > sorts of discipline. Virex-PC gave me multiple alerts telling me that Unfriendly and, unfortunately, all too common. Buried in the documentation for Mace Vaccine, which has a change detection component, you will find a note that self modifying programs will trigger false alarms, and that Mace Utilities itself makes such self modifying programs ... ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security