padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (02/15/91)
From: millerje@holst.tmc.edu (jeffrey scott miller) >Artifical intelligence? For what purpose. 99% of scanning for >viruses just requires looking for a "search string". However, scanners are only one form of integrity protection for a PC. A good AI program will be able to "learn" a system configuration, which programs are allowed to do what, and flag the user if something unusual takes place. The prime problem with such schemes today result from too many "false positives" to avoid any "false negatives". Enigma-Logics VIRUS-SAFE, Certus Int'l's CERTUS, and Mr. McAfee's VSHIELD are good second generation products available today, but the third generation is going to have to include some form of AI as described above. - --------------------------------------------------------------- From: merckens@dbf.kun.nl (Merckens A) >The solution, which can be found in BOOTCOMP.ZIP, is based on methods used >by these viruses (to catch a thief ....) >After this has been done, the computer should be booted from this floppy. >The code in the bootsector then catches the original BIOS >interrupts and patches them to the file BOOTCOMP.exe. >When the program BOOTCOMP.exe is called, it uses the original >interrupts to get the "current" bootsector and partition table. So even >if a virus has taken the interrupts, we will indeed get the true >information, and comparison is correct. This certainly is a better answer than exists under DOS alone but there are methods that can be used to achieve tha same result with much less effort. First, the "booting from floppy" requirement was found to be unacceptable to most users: it was easier to perform the integrity checking at the BIOS level as suggested and then pass the BIOS "hooks" in memory. Additional problems are that you will not be notified of an infection until you run BOOTCOMP after DOS has loaded and each machine must have its own floppy making maintenance more complicated. Also this is a difficult proposition when coupled with a "never boot from floppy" policy or any sort of paswword protection for the hard disk. - ----------------------------------------------------------------------- From: dg@titanium.mitre.org >Observation 2: Mac viruses are not easier to write than PC viruses for >the same reason Mac application are not easier to write than PC >applications...Alot of has to do with the number of >vandals writing viruses for the Mac vs. DOS, but it also has to do the >relative ease with which viruses can be written for DOS vs the Mac. The real point is not the difficulty of writing the application, either is simple in comparison to writing a good word processor, rather it is the total lack of integrity checking in either platform. Larger systems were forced to design in such systems (and accept the impact on performance) so that accidental (or malicious) actions by one user could not take down an entire system. IBM learned this in the '50s as has every other multi-user system manufacturer, but the original 4.77 mHz PC could not compete with the CP/M machines if the overhead of a "real" OS was added. MACs are the same way - performance takes precidence over protection. This is neither good nor bad, just a fact. Today with 40 mHz 68040s and 33 mHz 80386s, the performance it there to allow effective integrity assurance unnoticably (in fact it can be done on a 4.77 mHz PC), there just has not been much of a market for it. MS DOS 5.00 does not seem to have any more than 1.00 did and I would be surprised to find anything in MAC 7. On both platforms, if you can write a properly constucted executable file, the CPU will happily execute it even if it causes self-destruction. Today, what development has been done has largely been by a small group of dedicated people such as Frisk, Ross Greenberg, Chip Hyde, Dennis Yelle, Morgan Schweers, Kelly Goen, John Norstad, and Andy Hopkins (I know this isn't complete) who have taken the time and trouble to really understand the architecture before making an attempt at a solution. As far as viruses are concerned, it is difficult to have twenty years experience in a field that has only existed for four (Yes, Fred C. wrote one in 1984 on the VAX but I start PCs with the Brain). From one standpoint, It is amazing that we have come so far in a short time - the trouble is that we all want more and know that it can be done. Warmly, Padgett ps Have sent a beta copy of DISKSECURE to Ken since my "baroque" system prevents binary uploads. This is the partition table replacement experiment mentioned earlier. No promises or guarentees nor does it have anything to do with my employer. It just seems to work. app