padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (02/05/91)
>>From: gt1546c@prism.gatech.edu (Gatliff, William A.) >>To help combat this, what would be the possibility of 'delibrately' >>infecting ones boot-sector with a piece of code that would display >>some kind of 'ok' message if it hadn't been tampered with? Exactly what I was talking about in issue 17 except the "partition table" sector (absolute sector one) should be used, not the boot sector. More, such code can be used to prevent any tampering with itself, the real partition table, or the active boot sector. At one extreme I have tried on a system with C: & D: drives was to put all executables on the C: drive and prohibit ANY writes or formats to that drive (except with a special maintenance program). The D: drive just has its low area protected and contains mutable programs and data. A university or corporate environment might allow writing only to floppies or bernoullis, protecting the hard disk. While such software techniques alone cannot prevent an infected boot from occurring from a floppy - only hardware can do this - they do allow such intrusion to be detected prior to the load of the OS and can block any such infection thereafter. I hope that this will stimulate some activity on the part of the vendors to provide such protection - it is not difficult to write, but for me, I would no longer consider any product complete unless some such form of low level protection was included. Padgett ps: This is my hobby - you should see my job.
PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) (02/07/91)
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: >>>... what would be the possibility of 'delibrately' infecting ones boot-secto r with a piece of code ... .. > allow such intrusion to be detected prior to the load of the OS and can block > any such infection thereafter... If anybody's interested, there is such a program avaliable, i.e. stops hard disk boot viruses early in the start-up sequence. If anyone is interested, I can e-mail further details. It's a companion product to an automatic diskette boot sector scanner. Mark Aitchison, Physics, University of Canterbury, New Zealand.
frisk@rhi.hi.is (Fridrik Skulason) (02/12/91)
Regarding the subject of automatically detecting infections by boot sector viruses, I just wanted to point out that F-DRIVER.SYS (a part of my F-PROT package) will detect all known boot sector viruses, and is also designed to detect new/unknown boot sector and partition table viruses. I will, however include an option in version 1.15 to disable this check, as it may cause problems on machines with network boot ROMs. - -frisk
71435.1777@CompuServe.COM (Bob Bosen) (02/28/91)
Referring to the idea of inserting viral detection code very early in the bootstrap sequence by modifying the partition table, Padgett Peterson writes: >I hope that this will stimulate some activity on the part of the >vendors to provide such protection -- it is not difficult to write, >but for me, I would no longer consider any product complete unless >some such form of low level protection was included. I'm sorry, but it would just be too easy to fake the "all clear" message generated by any such technique. I agree that some form of low level protection is necessary but I fear that defensive code hiding in partition tables will be much more vulnerable to attack than MY preferred method: periodically bootstrapping from a "sterile" boot diskette that is kept isolated from every other usage. If I never use that boot diskette in any machine executing any code that didn't COME from that diskette, then it CAN't be corrupted. Period. End of discussion. That's the ultimate low-level protection. Bob Bosen Enigma Logic Inc. (Producers of SafeWord VIRUS-Safe [Now Shareware]) 2151 Salvio Street #301 Concord, CA 94520 USA Tel: (415) 827-5707 FAX: (415) 827-2593 Internet: 715435.1777@COMPUSERVE.COM