ERCN53@emas-a.edinburgh.ac.uk (K.Stevenson) (05/27/91)
Just read an interesting ad in Personal Computer Magazine, April 1991 VNU 404, page 135. It seems that most of us can now sleep easy if the claim made in this advert is true - what will all you EXPERTS do ?! Before I pass the details to you please note my disclaimer that I do NOT represent this company in any way and vievs are my own etc etc Ok whats all the fuss about then ... Vaccine anti-virus system - "Vaccine is virus-non specific detection software. It uses cryptographic checksums to monitor the state of executables on a PC or file-server. Any change, however caused will be detected. Since Vaccine does not need to know about particular viruses in order to detect them, it is future proof. Once installed, Vaccine will detect all viruses, past, present and future." Various other details follow on price etc This product is sold by S|O|P|H|O|S of England Well - this should cut down the e-mail to Virusl-l if we can ALL afford it! Comments welcome ! (and I can't imagine that there woun't be some) Kenny Stevenson Edinburgh Uni Comp Service ercn53@uk.ac.ed.ercvax
padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) (05/29/91)
>From: "K.Stevenson" <ERCN53@emas-a.edinburgh.ac.uk> >It uses cryptographic checksums to monitor the state of >executables on a PC or file-server. Any change, however caused will >be detected. Since Vaccine does not need to know about particular >viruses in order to detect them, it is future proof. Once installed, >Vaccine will detect all viruses, past, present and future." Question: when does it go resident ? If from CONFIG or later, you know my opinion. Comment: 4096, EDV, INT13, Zenith 158 & 159 >From: john.blakeney@f1701.n713.z3.fido.oz.au (John Blakeney) >Subject: Virus detection via crcs >(crc) check is only effective way of looking for viral activity unless >search strings are known for the viruses listed in letters. trhere is >no known virus(to my knowledge which does not alter crc check. See above, a vital element in a good integrity management system, but not the only element.
RADAI@HUJIVMS.BITNET (Y. Radai) (05/30/91)
Kenny Stevenson writes: >Just read an interesting ad in Personal Computer Magazine, April 1991 >VNU 404, page 135. It seems that most of us can now sleep easy if the >claim made in this advert is true - what will all you EXPERTS do ?! ..... >Vaccine anti-virus system - "Vaccine is virus-non specific detection >software. It uses cryptographic checksums to monitor the state of >executables on a PC or file-server. Any change, however caused will >be detected. Since Vaccine does not need to know about particular >viruses in order to detect them, it is future proof. Once installed, >Vaccine will detect all viruses, past, present and future." ..... >Comments welcome ! (and I can't imagine that there woun't be some) There is absolutely nothing new in this ad. There are zillions of checksum programs for the PC which claim to do the very same thing. However, there are three things to note: (1) They cannot distinguish between an actual viral infection and (say) replacement of an old version of a program by a new one; this is left to the user to decide. (2) The vast majority of such programs cannot really catch *all* infec- tions because DOS has loopholes which the authors of these programs are unaware of. (3) This method only *detects* infections after they have occurred; it does not prevent or remove them, so there's still a wee bit left for the "experts" to do. Actually, there is one such program, V-Analyst, which goes a long way toward solving all three problems: (1) It can distinguish between the above two situations in *most* cases. (2) It checks for three loopholes and takes the necessary measures. (3) It contains a *generic disinfector* which, when a modification is detected, will attempt to restore the file to its original condition. If the modification is due to a virus, it can do this in the great majority of cases (regard- less of whether the virus is known or unknown). Moreover, there is never any danger of its performing an incorrect restoration. (Features (1) and (3) are available only in the new version 3.0, not yet offi- cially released.) I'm willing to bet that Vaccine doesn't come anywhere near this. Padgett Peterson to Kenny:: >Question: when does it go resident ? If from CONFIG or later, you know > my opinion. Answer: Who says a checksum program has to go resident at all?? Most checksum programs I know of (incl. Vaccine and V-Analyst) can (or must) be run without going resident. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL
padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) (05/31/91)
>From: Y. Radai <RADAI@HUJIVMS.BITNET> >There is absolutely nothing new in this ad. Exactikalaly. > Padgett Peterson to Kenny:: >>Question: when does it go resident ? If from CONFIG or later, you know >> my opinion. >Answer: Who says a checksum program has to go resident at all?? Most >checksum programs I know of (incl. Vaccine and V-Analyst) can (or >must) be run without going resident. Well some form of integrity checking must go resident, even if it is just smart enough to call the checksum program. Otherwise, what is going to identify that a program is new or changed. (you could handle "changed" with a zillion little .BAT files but new ?) Since you do not want to add to the pilot's workload, it must be automatic therefore resident. Further, in order to handle the undocumented DOS "features" and Windows/Novell /etc interactions, it needs to go resident (at least the disk handler) before DOS loads e.g. from the BIOS. Considering performance, while it would be possible to call the main routine from disk (most good anti-viral routines now permit code swapping for systems with limited free DOS RAM), it is better to keep the necessary elements available. Since new memory systems (DR-DOS, MS-DOS 5.0, QEMM) can provide up to 637k free with 121k of TSRs loaded "high" on my home machine, in the future, 10-20k of integrity management should not be a problem (incidently, the 19k check-summing routine I use is in high memory so on my PC the only loss to DOS is 1k of the BIOS-level stuff: have 636k of free RAM under 640k). The delay in checking each program/disk access is unnoticable to the user. (Norton reports SI 27.1 / DI 9.1 on a non-cached 25 mhz 386, ST-251-1/SMARTDRV combo) Point is, anyone who says the above can't be done is nuts. Warmly, Padgett ps My wife has no idea any of the above is there when she writes a letter, she just turns the PC on & goes.
ccml@hippo.ru.ac.za (Mike Lawrie) (06/01/91)
RADAI@HUJIVMS.BITNET (Y. Radai) writes: > Kenny Stevenson writes: >>Vaccine anti-virus system - "Vaccine is virus-non specific detection >>software. It uses cryptographic checksums to monitor the state of >>executables on a PC or file-server. Any change, however caused will >>be detected. Since Vaccine does not need to know about particular >>viruses in order to detect them, it is future proof. Once installed, >>Vaccine will detect all viruses, past, present and future." >There is absolutely nothing new in this ad. There are zillions of >checksum programs for the PC which claim to do the very same thing. They don't cater for this scenario:- 1. Somehow infect the RAM of your PC with a COM/EXE targetting virus, such as Plastique (eg run an infected program from a floppy, or from a network). 2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE files on your hard disk, and thus infects each and every such file _after_ SCAN has pronounced them virus-free 3. You end up with every COM/EXE file on your disk having to be reloaded, but you believe otherwise until you find out the bitter truth 4. You treat checksum checking programs with utter disgust, because they fooled you into believing that you had protection. Don't say that is cannot happen, it DID. Mike - -- Mike Lawrie Director Computing Services, Rhodes University, South Africa ....................<ccml@hippo.ru.ac.za>.......................... Rhodes University condemns racism and racial segregation
p1@arkham.wimsey.bc.ca (Rob Slade) (06/06/91)
I am not quite sure what ccml@hippo.ru.ac.za (Mike Lawrie) writes: in response to > RADAI@HUJIVMS.BITNET (Y. Radai) writes: and > > Kenny Stevenson writes: > >>Vaccine anti-virus system - "Vaccine is virus-non specific detection > >>software. It uses cryptographic checksums to monitor the state of > > >There is absolutely nothing new in this ad. There are zillions of > >checksum programs for the PC which claim to do the very same thing. > > They don't cater for this scenario:- > > 1. Somehow infect the RAM of your PC with a COM/EXE targetting > virus, such as Plastique (eg run an infected program from a > floppy, or from a network). > > 2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE > files on your hard disk, and thus infects each and every such > file _after_ SCAN has pronounced them virus-free SCAN is not a checksum/image/change detection program, but a scanner, which looks for specific known code sequences from known viral programs. (A further point of Mike's posting seemed to indicate that he thought SCAN was a checksum program.) However, Mike's posting also seems to indicate that he feels that Sophos' Vaccine program, because it checks for changes in the program, will not be subject to the phenomenon he describes. (At least that was my reading, my aplogies if that was not your intent.) Unfortunately, any antiviral program which examines programs, either for virus signatures or in order to calculate an "image" check, will open all the programs it examines, and therefore opens the possibility of that same happening. ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security