padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (03/22/91)
Note: 44 was the first posting received since 39. Apologies if something was missed in the middle. >From: ***CURTIS*** <csg020@cck.coventry.ac.uk> >Subject: Unknown virus help! (PC) >Yesterday, I ran my virus checker from hard disk. It came up with the >warning "Virus checker Infected. Do not use" So I ran the >write-protected version I had on floppy, No virus's found. Many times virus removal programs will pad the end of a program to an even boundary following disinfection since the original program size has been lost. This is usually noticed on .EXE files. If this happens to a quality anti-virus program, the internal validation routine will detect the change and flag the user such as Mr. Curtis noticed. I suspect that he will find that the file on his hard disk is now a few bytes longer than the original and if DEBUG (yes you can, rename) is used to remove the "extra" bytes, the program will execute normally. - ----------------------------------------------------------------------- >From: CAH0@gte.com (Chuck Hoffman) >Subject: Preformatted disks, flopticals, etc. >Why can't the disks be formatted? Is the problem related to software or >hardware, or both? I was told this by people at both Brier and Insite. At the time I did not ask why but suspect that a consumer drive may not be able to properly detect "weak" sectors or that tracking correction information may be hard-coded at the factory. In the case of fixed disks, I have heard it both ways & suspect that it may depend on the drive/manufacturer (rumor has it that Packard-Bell is shipping a "special" version of Ontrack's DISK MANAGER {ver 4.01 ?} to customers reporting the MusicBug). The point I was trying to make was that a physically sound disk NEVER has to be "low-level formatted" just because a virus attacked it, but is often used as a substitute for proper training. - ---------------------------------------------------------------------------- From: "Mark Aitchison, U of Canty; Physics" <PHYS169@csc.canterbury.ac.nz> Subject: Re: PC MS-DOS vs BIOS protection (PC) HOORAH ! An intelligent discussion (not that I agree with all of the concepts but at least Mr. Aitchison has done his homework). >If DOS became the sort of standard that CPM or (better) >Unix is, where all manner of incompatible hardware run the same o/s, >then viruses would have a tough time spreading. Unix is a very good platform but the O/S diversity requires that most imported files (from Ultrix to Sun say) must be recompiled from the source code to run properly. Few of the 80+ million DOS users have this kind of expertise available. The stability and ease of use that has made the IBM-PC so popular is also favorable for malicious software. (I live in Florida because I like the climate. Insects also like the climate. I do not support changing the climate to eliminate the bugs but do have very fine mesh window screens.) >So a good anti-virus approach is going to consider the whole system: >hardware, BIOS, DOS, applications and end-user education. That, I >think, is a good idea, but you soon end up with something that looks >nothing like the present PC (or Mac or whatever). Not necessarily, at least not from the user or software level. I do not think that users would have a problem with a screen that popped up during installation or modification, and informed the user that something was going to happen and did he/she/it mind so long as it was not constant. For some time I have been using such a package and when installing a new program from 'leventy floppies received (and scanned) from a trusted vendor, just turn off the directory the installation is to be into from checking for the duration. Similarly, following a modification to WordStar, the next invocation pops a screen before loading informing me that it has changed and do I want the signature updated ? A single keystroke returns everything to normalcy & I would be more disturbed if the screen did not appear. Admittedly, this is not a "normal" DOS function, but can be added without affecting performance or functionality. {am running everything including Prodigy from Windows on the 386KS (kitchen sink) with 120k of TSRs loaded high (QEMM/DOS 5.00) and 636k "free" (trade and service marks mentioned). Testing done by wife, son, and assorted cats}. Point is that it can be layered on to DOS effectively and transparently, without "expert" help, but needs more than just a simple program, (some assembly reuired). Would love to continue this discussion at your place, I hear New Zealand is beautiful. - -------------------------------------------------------------------- Not sure if this is from Stan Pickthall or Robert Slade - app > SCAN does have an "internal" self check, but if a >"stealth" virus is active in memory, it will defeat any kind of >integrity check. NO ! It will not defeat "any kind of integrity check" though "stealth" will defeat SCAN's if the /nomem switch is in use (wish we had italics) While the "stealth" seen so far will defeat a program integrity check, it will NOT defeat a system integrity check (the six bytes). The fact that few anti-virus programs bother to check system integrity first does not mean that it can't be done or even that it is difficult. Even CHKDSK will reveal most "sucessful" anomalies when resident and "stealth" MUST be resident to work. Padgett
frisk@rhi.hi.is (Fridrik Skulason) (03/27/91)
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: >> SCAN does have an "internal" self check, but if a "stealth" virus is >>active in memory, it will defeat any kind of integrity check. > >NO ! It will not defeat "any kind of integrity check" though "stealth" >will defeat SCAN's if the /nomem switch is in use (wish we had italics) While >the "stealth" seen so far will defeat a program integrity check, it will NOT >defeat a system integrity check (the six bytes). I don't mean to be insulting, but I have said it before, and I will say it again: The six-byte check is no sustitute for a full system integrity check! Athough it will detect most wiruses, it will NOT detect them all, in particular it will miss some "stealth" viruses, like the "Number of the Beast". The method will also miss viruses like Saddam, Do-Nothing, Micro-128 and all non-resident viruses. Worse, it will "detect" all TRS programs, even programs like PRINT.COM However, my main point is this - it is possible to make a program integrity check which will detect infection by all "stealth" viruses known today, and (I hope) tomorrow's viruses as well. I cannot go into details, but I do have a working program which is able to do this - more details next month. - -frisk