ACDFINN@vm.uoguelph.ca (Finnegan Southey) (06/07/91)
In regards to the problem of anti-viral programs infecting files
they scan when a memory-resident virus is present: Wouldn't it be
possible to read disks sector by sector instead of opening files
through DOS calls? This reading would be much the same as a disk
editor program. The scanner could consult directory listings to find
program boundaries and then check approp- riate areas without opening
the files as a file? As I'm not an MS-DOS expert I'm not sure if this
makes sense, but I thought I'd ask.
-
-------------------------------------------------------------------------------
Finnegan Southey - Computing Services, University of Guelph, Ontario, CANADA
BitNet: ACDFINN.VM.UOGUELPH.CA CoSy: fsouthey@COSY.UOGUELPH.CA
You are in a maze of twisty little passages, all alike...
-
-------------------------------------------------------------------------------PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) (06/11/91)
ACDFINN@vm.uoguelph.ca (Finnegan Southey) writes: > In regards to the problem of anti-viral programs infecting files > they scan when a memory-resident virus is present: Wouldn't it be > possible to read disks sector by sector instead of opening files > through DOS calls? Yes, you can do that, and there could be other advantages too: (a) potentially faster execution (if you are doing a whole diskette, you can organise things to reduce head movement), and (b) bypass some viruses, which intercept int 21 or int 13. There are some limitations, basically involving incompatibility with some network software, RAM drives, etc, but quite a good idea for most purposes. The latest version of my CHECKOUT program uses this; earlier versions didn't check files - just the boot sector - but used int 40 instead of int 13 for similar reasons. Ultimately, anti-virus software is going to directly access the disk controller (or possibly do far calls to the BIOS), to be certain of avoiding smart viruses, and relying on DOS will be unthinkable (as it *should* be now). This leads me to a thought... suppose a virus-removal program gets rid of the virus from disk, but the infected sectors still exist in (say) an Extended memory cache system. Has anyone guarded against this? Mark Aitchison, Physics, University of Canterbury, New Zealand.
vail@tegra.com (Johnathan Vail) (06/18/91)
ACDFINN@vm.uoguelph.ca (Finnegan Southey) writes: In regards to the problem of anti-viral programs infecting files they scan when a memory-resident virus is present: Wouldn't it be possible to read disks sector by sector instead of opening files through DOS calls? This reading would be much the same as a disk editor program. The scanner could consult directory listings to find program boundaries and then check approp- riate areas without opening the files as a file? As I'm not an MS-DOS expert I'm not sure if this makes sense, but I thought I'd ask. Good question, but: wouldn't it be possible for the stealthy virus to trap the sector I/O and "fix" it to also hide its tracks? Hardware level I/O is about the only way to go for this and then you still have to be careful on a 386 where the MMU can trap hardware accesses. jv "Always Mount a Scratch Monkey" _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail
frisk@rhi.hi.is (Fridrik Skulason) (06/19/91)
>Good question, but: wouldn't it be possible for the stealthy virus to >trap the sector I/O and "fix" it to also hide its tracks? Not only possible - it has already been done. At least one virus, simply known as INT13 does just this. - -frisk