padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) (06/11/91)
Last week I had occasion to disinfect another large network with the Jerusalem (not ours - an outside company). The traditional respons is to take down the net, clean the server, and check all of the clients before reconnection. On reflection, this seemed inordinately inefficient so I came up with a new methodology which I offer for comment. Note: this works for Jerusalem, Sunday, and non-stealth infections which infect an executable before allowing it to run - please be aware of this limitation up front. The method was as follows: a) take down net & clean server b) remove non-essential applications c) replace essential applications with a batch file that 1) copies a clean selfcheck program from a writelocked directory 2) runs the self check program 3) runs the requested application In this case I had such a self-check program (1400 bytes) that just checks its own length & checksum. If it passes, the program exits, if it fails, the client machine displays a warning message and is locked up. In this manner, the server application files are protected from infection (are never called by an infected client). Each client gets a new copy of the "goat" file so clean clients are not affected, and infected clients are identified. Admittedly, this is a special case and directed to a small number of viruses, but they seem to be the most common. Comments ? Warmly, Padgett
p1@arkham.wimsey.bc.ca (Rob Slade) (06/15/91)
padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: > In this case I had such a self-check program (1400 bytes) that just > checks its own length & checksum. If it passes, the program exits, if > it fails, the client machine displays a warning message and is locked > up. In this manner, the server application files are protected from > infection (are never called by an infected client). Each client gets a > new copy of the "goat" file so clean clients are not affected, and > infected clients are identified. I have been reviewing a product from Bangkok called Victor Charlie that takes a similar approach. An intriguing concept. I hope to be able to release the review shortly. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security