padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (06/05/91)
>From: ccml@hippo.ru.ac.za (Mike Lawrie) >They don't cater for this scenario:- >2. Run SCAN on your hard disk - this does a DOS open on all COM/EXE > files on your hard disk, and thus infects each and every such > file _after_ SCAN has pronounced them virus-free >4. You treat checksum checking programs with utter disgust, because > they fooled you into believing that you had protection. This comes under the heading of jumping-off-the-high-board-without-looking- to-see-if-there-is-any-water-in-the-pool <whew>. I am not familiar with all virus scanners, but for some time SCAN has checked for such dangerous viruses in memory right after it checks itself for integrity. This checking has two other switches available: /NOMEM will tell SCAN to proceed without checking memory and the scenario described will result. Unless instructed properly, people often use this switch to speed up the scanning process. SCAN also provides the /M switch which tells it to check memory for every known (to SCAN) virus. V77 also has a switch to check "high" memory but since I do not have any viruses that inhabit that region, I have not used it. Point is that as several of us have said before, checksum validation of programs is am important part of integrity management, but first you must be able to trust the system else checksums can be unreliable *and through no fault of the checksum routine* <wish we had italics>. Trust is something that must be built up step by step and checksumming falls somewhere in the middle. Lacking a firm foundation, it cannot endure. Warmly, Padgett