DAVE@GERGA.TAMU.EDU (Dave Martin) (04/25/91)
The report on GateKeeper 1.2 made me start wondering about how viruses would behave under System 7.0 (one of the feature points said that GK1.2 had better compatibility with Sys7, adding that users & viruses shouldn't notice any differences). Has anyone experienced a virus under System 7.0 (beta, FC, etc.), and if so, did they behave any differently. Are any of them completely incompatible in that they simply crash the machine when they try to do their dirty work, or do they work just as they always have. Anyone looked at the code enough even to tell what they'd do? Of course, compatibility of old viruses aside, I get this gut feeling that Sys7 will open the doors for more viruses, and make old ones spread more easily. How will SAM react to an infected file run from a FileShare folder? Or if someone puts a disk with WDEF into a drive while a shared folder is open. Will SAM or any of the other active detectors warn you when a virus tries to get in from the back door? Does the AppleEvent manager have any built-in precautions to prevent viri from sending events out to programs? Or from interfering with VM? I know, lots of questions. Maybe they've been discussed before, I don't know -- just signed on a week or so ago. As semi-official manager of a small (~20) network, and someone who has had to clean Scores, nVir, & WDEF from most of them many times, I'm curious how much more trouble to expect from System 7.0 Thanks. Dave Martin, Geochemical & Environmental Research Group, Texas A&M University DAVE@GERGA.TAMU.EDU DAVE@DBM-GERG.TAMU.EDU BROOKS@TAMVXOCN.BITNET AOL: DBM
phaedrus@milton.u.washington.edu (Mark Phaedrus) (04/29/91)
DAVE@GERGA.TAMU.EDU (Dave Martin) writes: >Of course, compatibility of old viruses aside, I get this gut feeling >that Sys7 will open the doors for more viruses, and make old ones >spread more easily. How will SAM react to an infected file run from a >FileShare folder? Or if someone puts a disk with WDEF into a drive >while a shared folder is open. Will SAM or any of the other active >detectors warn you when a virus tries to get in from the back door? >Does the AppleEvent manager have any built-in precautions to prevent >viri from sending events out to programs? Or from interfering with VM? I think all the hype over System 7 has caused a lot of people to have incorrect ideas about what System 7 is like. It does not magically change all the rules of Mac programming; in fact, based on my experience, it's more compatible with older software than System 6 was. It does add new features, but in almost all cases it adds them in a way that makes them very comparable to existing ones (just a heckuva lot easier to use). FileShare, for instance, is almost exactly equivalent to AppleShare, but without the dedicated server. A program in a FileShare folder (virus-infected or not) appears the same way as a program in an AppleShare server folder, and viruses and virus-detection utilities should react to it in roughly the same way. Any virus detector worth its weight in RAM will check every resource file that's opened, no matter where it comes from. So FileShare shouldn't create any new problems there (except for the problem of uneducated users networking for the first time who don't realize the potential for infection, and without any AppleShare administrator to troubleshoot). There's no "protection" code in AppleEvents, as far as I know, and the reason is simple; what good would it do? Sure, a virus could trigger spurious AppleEvents, but a virus under either System 6 or 7 can do things that are a heckuva lot worse; delete files, format disks, crashing the system, etc. Until code is added to make it impossible for a virus to do these things (which brings up the age-old problem: how to distinguish a virus from a legitimate request to delete a file, etc.?), it seems silly to try to throw in code to keep a virus from choosing Quit or whatever. Finally, virtual memory is exactly the same as physical memory, only slower. About the only VM-specific nasty a virus could pull off would be to mess up or delete the virtual-memory storage file on the hard disk; this would crash the system, but again, as crashing the system is trivial under either System (the tricky thing to do is *avoid* crashing it... :) ), no new security holes are added here. IMHO, System 7 will, if anything, make it a bit harder for viruses and Trojan horses to propagate, if only by cleaning up the System Folder a bit. How many of us would even notice if somebody slipped one more file into the morass of junk (whoops, vital System extensions) that all of us keep in there? By sorting things out into at least a few subgroups, the new System will make it easier to keep some sort of grasp of what's going on in there. Internet: phaedrus@u.washington.edu (University of Washington, Seattle) The views expressed here are not those of this station or its management. "If you can keep your head while those about you are losing theirs, consider an exciting career as a guillotine operator!"