padgett.tccslr.dnet@mmc.com (Padgett Peterson) (05/13/91)
First I would like to offer an apology to Ross Greenberg (Flu-Shot)
and Fridrik Skulasson (F-Prot). You can count on your fingers the
number of people who have made real contributions to the anti-viral
scene and these are two of them. My choice of words ("You get what you
pay for") in the circumstances was unfortunate.
At the same time, I constantly deal with more and more users of PCs
who could care less what kind of platform they are dealing with, all
they are interested in is their spreadsheet/publications/
communications capability. These people are not interested in which
strain of the 4096 they have been infected with, their concern is that
the machine is operating properly and without any hidden "extras".
Consequently, those techniques that were developed when mere ownership
of a PC qualified one as a "hacker" (in the original sense), are more
suited to the technicians who are paid to understand the architecture.
What the user needs to know is that SOMETHING has happened and that a
technician is needed to interpret WHAT - wheter it be a problem caused
by power supply (I see a lot of these), drive, ICs, or malicious
software.
Today, viruses seem to account for on the order of 10-20% of the
trouble calls I get. They are significant enough to warrant avoidance
measures, but not anything to panic about.
The fact of the matter is that today EVERY "common" virus allocates
resources to itself, most in obvious manners, and all are detectable
to the user/program that bothers to look. Trojans & logic bombs as
well as simple failures are another matter entirely but protection is
possible (just not as "glamorous").
Since the PC (and MAC) have only rudimentary integrity checking built
in, the first order of business should be to add-on some additional
measures to ensure the validity of the machine. Because problems
(including malicious software) can begin at the BIOS level, so must
integrity checking.
The real point I have been trying to make for some time is that such
checking IS NOT DIFFICULT, orders of magnitude less than what it takes
to write a good word processor, it just has not been done yet.
There are some guidelines and dead ends to be avoided: for example
McAfee's SCAN /AV adds ten bytes of authentication to each program
that can be retrieved by the resident VSHIELD program. Enigma-Logic's
Virus-Safe stores the checksums in a single separate data file. Either
is to be preferred to Norton's Anti-Virus method which reportedly
creates a 77 byte file for each executable since given a disk like
mine with 1100 executables and 2k clusters, this would take up over 2
Mb for those 77 byte files. With an 8k cluster size such as I have
seen on many machines, we would be talking almost 9 Mb (each file
takes up at least one cluster). Few users could afford this.
Consequently, IMHO the first priority should be given to a resident
integrity checking package designed for the single user system that
uses authenticated data paths to each peripheral, and adds the program
validation and permission process that exists on mainframes. The major
difference would be that instead of user privileges we would have a
set of program privileges on record.
In this way, if a program were permitted to go resident, this
attribute would be recorded and the location, hooked vectors, size,
and memory checksum would be kept on file. Similarly, a self modifying
program such as WordPerfect would be permitted to do so, but only to
its own executables.
I also believe that in the near future, signature scanning programs
will be limited to the technicians, researchers, and hobbyists who
need such sophisticated tools, and will not be in general use by the
average user.
Comments welcome,
Padgettc-rossgr@uunet.uu.net (05/15/91)
>From: Padgett Peterson <padgett.tccslr.dnet@mmc.com> > >First I would like to offer an apology to Ross Greenberg (Flu-Shot) >and Fridrik Skulasson (F-Prot). Most happily accepted, Padgett. Sometimes we sorta forget there are real people on either end of these silly tubes before us. Sorry I was a bit hasty in my response to you originally. >communications capability. These people [end users]are not interested in which >strain of the 4096 they have been infected with, their concern is that >the machine is operating properly and without any hidden "extras". Stop for a moment and consider what we're dealing with here: a modified 4096 that was not released into the wild. It was a "lab" virus and scanners and monitors that are tuned to Version A might not find/detect/stop some Version B until they, themselves, have been modified. One of the big problems we, as anti-virus vendors and researchers, have is in getting these "lab" viruses to add to our product/knowledge-base. (See below in my response to Dave Chess why this is still important). This does not mean, however, that you're wrong. >What the user needs to know is that SOMETHING has happened and that a >technician is needed to interpret WHAT - wheter it be a problem caused >by power supply (I see a lot of these), drive, ICs, or malicious >software. Yes, just as most people do not work on their own cars when the problem is serious enough, but you're not really expected to call in AAA when you have a flat tire -- you should fix it yourself. I think the virus problem is growing. I think the anti-virus solutions are still in their infancy. Code such as my FLU_SHOT+ was initially designed to help out the more techie among us: the interface is, certainly, not user friendly. Newer code, such as my Virex-PC (and, giving credit where credit is due, my worthy competitors from Symantec and Central Point) is being constantly tweaked to make it not only better anti-virus software, but easier to use anti-virus software: the simple "Abort, Retry, Ignore" message is no longer acceptable in a product. Instead lots of time is spent in making the product user friendly enough that the number of tech support calls goes down to virtually zero. There is considerable incentive in making the product easy for *everyone* to use: the techie and non-techie alike. I don't see that a technician is going to be required for the more "popular" problems: they must be dealt with eventually if for no other reason than that tech support calls are very expensive. A new and hidden strain of a virus hasn't reached that category yet, obviously. >Today, viruses seem to account for on the order of 10-20% of the >trouble calls I get. They are significant enough to warrant avoidance >measures, but not anything to panic about. *This* is what the news media should be reporting. It's not something to panic over, true, but that's an *amazing* percentage of trouble calls due to viruses. Think of the cost to business today when their copy of a program doesn't work and they call up tech support because of the problem! >The real point I have been trying to make for some time is that such >[integrity]checking IS NOT DIFFICULT, orders of magnitude less > than what it takes to write a good word processor, it just has not > been done yet. You mentioned a few products and their methods, so its obvious that this integrity checking *IS* being done (FLU_SHOT+ has had integrity checking on program run for about three years, I guess). Now, is this integrity checking being done *properly*? Interesting question and one that only the marketplace can answer by what they select for their purchase (or freeware usage). Something like the example you gave of Norton's potential 9Mb overhead is ridiculous (not the example, but the instance!). That showsd a considerable lack of understanding about the market. Wanna bet that the next release of the code does things differently? If not, it'll probably be a dead product. Your subsequent points (not quoted herein) are good ones. Resident integrity checking, and access control, is a worthy goal of any of the anti-virus products. However, remember that it can and *will* be circumvented the first time somebody boots off a floppy. Signature checking, integrity checking, whatever: none of them can slap the wrist of somebody who boots off an infected disk with stealthing viruses on it, combined with people who really think that extra five seconds (or whatever) on a memory scan is too much "wasted" time. That's why the anti-virus code out there has to do more than simple integrity checking. > Comments welcome, > Padgett Okey doke: who do I send them to? :-) Ross M. Greenberg Author, Virex-PC & FLU_SHOT+