cpreston@Sun.COM (10/27/89)
In VIRUS-L #222 David Gursky wrote concerning an earlier posting that "a strategy that relied solely on a scanner application would not be a strong defense defense against electronic vandalism." This is because "you must remember to periodically scan the disk." I believe Mr. Gursky is quite correct about not relying solely on a scanning program. While I was mainly relying on the technical sophistication of VIRUS-L readers to know that, I did mention qualifiers such as "very useful part of an anti-virus program." Actually, there are programs for the Macintosh (SAM, Virex) that can be set to check each floppy disk each time it is inserted. Or a "log-on" or "log-off" batch file could be used for other machines to run the scanning program against all the hard disk files. Even if that were done, it would still not be adaquate protection against viruses, even on microcomputers, since it can be effective only against known viruses. My point about "How good are scanning programs" is mainly that if the program uses well-chosen search strings it can be more effective than I, at least, initially expected. Several scanning programs for the Macintosh relied only on resource names (resources include program code on the Mac). These resource names, such as nVIR, are very easily and quickly changed to hPat or anything else, completely defeating the scanning program. I always urge clients to use additional detection and prevention, and am somewhat frustrated that some of them feel that scanning programs will protect them. Charles M. Preston MCI Mail 214-1369 Information Integrity BIX cpreston Box 240027 907-344-5164 Anchorage, AK 99524
AWOODHULL@hamp.hampshire.edu (Al Woodhull) (06/18/91)
> The only "test target" that can be used is the entirety of a virus, > and at that point you no longer have a "simulator", you have the real > thing. -- Fritz Schneider I have only had serious problems with two viruses, Yankee Doodle and Jerusalem. For each of these I took a file that was infected from my "zoo" disk, and appended it to a small program that prints a message and exits. I saved the hybrid files as executables. (I did all of this with DEBUG). The new files contain all of the infected code and so are good test targets, but since there is no way to execute the infected code it is essentially just a block of data. There is no need to worry about someone else using my computer wondering "I wonder what that program does?" -- Al awoodhull@hampvms.bitnet
CHESS@YKTVMV.BITNET (David.M.Chess) (06/18/91)
>Date: Mon, 17 Jun 91 13:05:00 -0400 >From: Al Woodhull <AWOODHULL@hamp.hampshire.edu> >The new files contain all of the infected code and so are >good test targets, but since there is no way to execute the infected >code it is essentially just a block of data. They aren't necessarily good test targets. "Bulk" scanners (like IBM's), that look through every byte of every file for patterns, will identify them as infected, but scanners that look at, for instance, specific areas based on the file's entrypoint will not see them as infected, even if they work fine on actually-infected files. I believe Alan Solomon's Anti-Virus Toolkit (I may have the name wrong) is of the latter kind, for instance. So if a scanner doesn't see those files as infected, it doesn't necessarily mean that it wouldn't see a normally-infected file as such... DC