mcafee@netcom.COM (McAfee Associates) (06/26/91)
Summary: Reposted by Keith Petersen avinash@felix.contex.com (Avinash Chopde) writes: >I was looking around on the garbo.uwasa.fi site and found it had >plenty of virus scanners/fixer programs. >Do I need to get hold of all of them, or are there one or two >which should suffice ? > >And, I'm interested in hearing about any of your own procedures that you >follow to prevent virus infections and perform virus cleanups. Hello Mr. Chopde, There are lots of anti-viral programs available now, both shareware and commercial, so without trying to be too specific, here are some things you may wish to look for: 1. Type of virus detection offered: That is, upon what criteria does the anti-viral program base its "decision" that a virus has been found? This is generally broken down into three categories: filters, changer checkers, and scanners. A filter is a program that installs itself as a TSR and monitors the system for virus-like activity (i.e., attempting to format a hard disk, write to a program file, and so forth). Filters have the advantage of being able to detect new viruses because they are not looking for specific viruses, but rather virus-methods. The disadvantage is that they can be prone to false-alarms by programs which may do virus-like activities for legitimate reasons (say an OS or application update program that patches the executable code of the original program); they also have to be periodically updated when new virus-techniques appear that the program did not monitor; also they may have to be configured to allow programs that may do virus-like activities (say, a disk optimization program) to function--this is not really a problem with individual (home) users, but if you're responsible for several 100's of PC's, installation could be painful. A change checker (and this is a category that includes checksum, cyclic redundancy checks (CRC's), cryptographic checks, and so on) is a program that computes a known value for a program file (or other area of the system) and is then periodically run to compare the program file against. If the known value and the just-computed value don't match, then the file has been modified and may be infected with a virus or otherwise tampered with. The advantages to change checkers are that they will detect known and unknown viruses, like the filter, because they are not checking for specific pieces of code, but rather for changes to a computed value. They're also good for spotting tampering--more of a computer security-related concern then virus- specific, but it is a function. The disadvantages of this method are that this only works if the change checker is installed on a virus-free machine, otherwise the known values computed will reflect the viral code attached to its host; also, it's been theorized that if the method of change checking is known, a virus could be written to add itself to files in such a way that a checksum identical to the known (good) checksum is generated; the last problem I can think of with change checkers is that if there is a "stealth" virus present (A virus that installs itself as kind of a "file handler" in the OS) then the virus will trap reads by the change checking program, remove the viral code from the infected file, and then pass on to the CC program a "clean" file. This last one can be prevented by booting the computer with a clean (virus-free) operating system and then running the change checking program. A scanner works by checking the system for pieces of code unique to each virus. The scanner reads the files (boot sector, partition table, etc) of a disk and does a match against a database of bytes that are segments of viral code unique to each virus. When a match occurs, a virus is reported. This is effective for finding known viruses, since a positive ID against the virus is made. Of course, a false alarm could also occur if a file had the same instructions in it. Scanners can also check for "generic" routines, like a series of program instructions to format a disk, but these are not as reliable as the matching of viral code with its "fingerprint" of bytes because a file may have use such a routine for legitimate purposes. Disadvantages to this are that a scanner will only detect known viruses and must be updated frequently, a "stealth" virus could hide from the scanner, and possible false alarms. And of course, as more viruses are added, the scanner gets s l o w e r. 2. Vendor Support: That is, what sort of assistance will the manufacturer provide? Anti-viral software (like any software tool, only more so <GRIN>) generally requires more assistance then other forms of software, or perhaps I should say, more assistance of a specialized nature. Removing a virus can be somewhat tricky because a long set of steps have to be precisely followed to remove a virus AND prevent re-infection. And of course, there is the matter of any data on infected media that may have been corrupted in some way. So, knowledge (and it's accompanying twin, experience) are a factor. What sort of assistance does the vendor provide? Does the vendor have a telephone number, a fax, a BBS, internet or online services address that you can access? Is the telephone number 24 hours toll free? Or limited hours and toll. Is there a charge for assistance or is it free? If there is a charge, do you have a certain amount of free assistance? What about local reps? Is support handled through the head office which may be in another country, or are there manufacturer's reps or a branch office in your state (province, district) or country? Another factor is currency (yes, money too, but more about that next), by which I mean how current is the program? Does it need to regularly updated? Does an update file need to be added, or does the package have to be completely reinstalled each time? How are updates made available, and for how long? Can they be downloaded or mailed or faxed to you? Are they free or do you have to pay for them? Do you get a certain amount of free updates? If so, how is this handled? If there is a cost for updates, how much is it? Is the software purchased (or licensed) for life or for a certain amount of time? If for a limited time, then how long? What happens when the license period runs out? And how much does it all cost? And referrals. Does the manufacturer have satisfied customers whom you can ask about product? Well, sorry for making such a long post, but I did want to address as many issues as I could think of off the top of my head. I hope this gives you some factors to consider. DISCLAIMER: Yes, I am an employee of McAfee Associates, makers othe VIRUSCAN and CLEAN-UP anti-viral programs. However, I have tried to make this as objective as possible, without mention of anyone's products, goods, or services. Aryeh Goretsky - -- McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com 4423 Cheeney Street | FAX (408) 970-9727 | (Aryeh Goretsky) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | mrs@netcom.com ViruScan/CleanUp/VShield | HST (408) 988-5138 | (Morgan Schweers)