FTHSMULD@rulgl.LeidenUniv.nl (Jeroen W. Pluimers / Jeroen Smulders) (03/05/91)
Friday, 22 Feb 1991, Jim Pinson wrote: > noticed that som eof them (virus-scan programs) can use an external file > containing virus signatures. This seems very usefull...... > There does not seem to be a standard format of these files Well, there is some sort of standard. IT is being used by VIRSCAN, HTSCAN and TBSCAN/TBSCANX. The file consists of a list of signatures. All lines atrting with ; are considered to be a comment. Every signature has three lines. The first line contains the virus name (Jerusalem-B) for instance. The second line consists of keywords BOOT COM or EXE (and defines the type of infection). The third line has the virus signature (a HEX string of bytes). There is some provision for byte skips and random bytes. I don't have the format handy, but if anyone is interested, I can post the full specs. Jeroen W. Pluimers - Gorleaus Labs, Leiden University
frisk@rhi.hi.is (Fridrik Skulason) (03/13/91)
Should virus identification strings be published in hex form ? My personal opinion is that they should be kept secret or published in an encrypted form. The reason is quite simple - anybody who obtains a copy of the virus can easily patch the section containing the published signature string, in order to make it non-detectable by any scanner using that string. Another danger of publishing the strings is that several scanners might use the same strings - so no extra security would be gained by using multiple scanners - if a new variant of an old virus appears, they would all fail or all succeed in finding it. - -frisk