ratzan@rwja.umdnj.edu (Lee Ratzan) (06/21/91)
Aplication locking on a Macintosh prevents a file from accidentally being destroyed (trashed) and to some extent from being altered. A user wants to know if locking Disinfectant on a hard disk will prevent it from being itself infected from a virus emanating from an infected floppy. The issue is whether we can trust a resident locked copy of Disinfectant to remain clean even if the hard disk on which it resides becomes infected. I have advocated that since we have no automatic virus checking software which is activated upon disk insertion or start up and since anyone can use the machine, the only way to be absolutely certain that integrity has not been compromised each morning is to boot up first with a trusted disk and run the trusted disk copy of Disinfectant against the hard disk files. Comments? Lee Ratzan
mike@pyrite.SOM.CWRU.Edu (Michael Kerner) (06/22/91)
NO! ABSOLUTELY NOT TRUE IN ANY WAY, SHAPE, OR FORM. IT IS IMPOSSIBLE TO PROTECT A FILE BY LOCKING IT. PERIOD. ABSOLUTELY NOT. IT DOESN'T HAPPEN. The only way to protect a file is to have it on a locked volume. Now I don't know if SAM is beyond this, because I haven't tried it...yet (hey, c'mon, I read newsgroups on Internet in what little free time I have between my job at xxx and handling the lab here. However, I have an "utility" which will overwrite any resource in any file, and that's all the more specific I am going to get about it because I don't want some amateur hack reading this to get any ideas. Saying that it can be done is bad enough - it encourages the ones that don't know ... yet. At any rate, file locking AND PROTECTING (via some sector editor) do not stop this "utility" from working - no, it's not ResEdit, but I haven't tried ResEdit, although I would assume that it won't work. So, there is NO WAY to stop a file on an unlocked volume from being written to, changed, etc. Sorry. Mike. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu
KE2Y@VAX5.CIT.CORNELL.EDU (John Chapman) (06/24/91)
ratzan@rwja.umdnj.edu (Lee Ratzan) writes: > Aplication locking on a Macintosh prevents a file from accidentally > being destroyed (trashed) and to some extent from being altered. > A user wants to know if locking Disinfectant on a hard disk will > prevent it from being itself infected from a virus emanating > from an infected floppy. > > The issue is whether we can trust a resident locked copy of > Disinfectant to remain clean even if the hard disk on which it resides > becomes infected. From what I understand, Disinfectant checks itself first thing when it is launched. If it has been altered in ANY way, it supposedly renames itself to something like 'Trash Me' and quits immediately. I think the check it performs on itself is a little more complex than just simple checksumming, but I am not sure. Anyway, the theory is that even if something were able to infect Disinfectant, it would not allow itself to be run. (For those interested, I think this is also why you cannot alter the MultiFinder partition size - it is somehow 'hard-coded' into Disinfectant such that changing it in the Finder Get Info box doesn't work). If you are particularly concerned, run the Disinfectant INIT on all boot volumes. This should prevent the infection of any program (not just Disinfectant) from any known virus. The INIT is unobtrusive, VERY small (read 5K) and is very effective against anything that's been found. If you want more complete protection, I would suggest trying GateKeeper (freeware) or the commercial packages SAM, Rival, or Virex. From what I have seen, all are excellent at blocking all known virus, but their main strength is their ability to catch & block new, unidentified viruses. Unfortunately, this means they are far more picky and sensitive than the Disinfectant INIT and may cause conflicts with (a few) software packages and INITs. By the way, the current version of Disinfectant is 2.4 and may be found on most good FTP archives (eg. sumex-aim.stanford.edu) as well as several mail server archives. > Lee Ratzan - - John T. Chapman ke2y@vax5.cit.cornell.edu ke2y@crnlvax5.bitnet Disclaimer: These opinions are my own and do not necessarily reflect those of the University or of the manufacturers of the products mentioned above.
FXJWK@ALASKA.BITNET (Jo Knox - UAF Academic Computing) (06/26/91)
On 21 Jun 91, mike@pyrite.SOM.CWRU.Edu (Michael Kerner) says: > NO! ABSOLUTELY NOT TRUE IN ANY WAY, SHAPE, OR FORM. IT IS IMPOSSIBLE TO > PROTECT A FILE BY LOCKING IT. PERIOD. ABSOLUTELY NOT. IT DOESN'T HAPPEN. Agreed. > The only way to protect a file is to have it on a locked volume. Depends upon how the volume is locked; the only true locking is hardware write protection, available on floppies and some optical drives (I think). > However, I have an "utility" which will > overwrite any resource in any file, and that's all the more specific I am > going to get about it because I don't want some amateur hack reading this > to get any ideas. Saying that it can be done is bad enough - it encourages > the ones that don't know ... yet. At any rate, file locking AND PROTECTING > (via some sector editor) do not stop this "utility" from working - no, it's > not ResEdit, but I haven't tried ResEdit, although I would assume that it > won't work. I don't think any hacker's going to be surprised at this information; "File Locked", "File Busy", "File Protect" are just bits in the header information of the file; there are lots of utilities which can modify some or all of these file attribute bits---if Finder (just another program to the Mac) can set these bits, it's evident that other programs can, too, such as ResEdit, MacTools/ FileEdit, SUM Tools, Fedit Plus, and DiskTop DA, to name just a few. jo
mike@pyrite.SOM.CWRU.Edu (Michael Kerner) (06/27/91)
In regards to the "Well, you can override the bit settings" (sorry, I forgot to copy the article in here), the point I was making was that even beyond that, this little bugger (no it's not in the Sector Editor group that was listed), will also overrun open resources - this is something that I have not seen any other "utility" accomplish. I know it is possible to do, but I just haven't seen anybody do it. Mike. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu