bert@medley.ssdl.com (Bert Medley) (02/08/91)
Does anyone know of any virus protection software for VAX/VMS or UNIX (Sun, DG Aviion, DEC ULTRIX)? Please e-mail to bert@medley.ssdl.com or post. I will summarize and repost if there are answers. I NEED any answers you might can give. Thanks in advance. - -- Bert Medley | UUCP: bmedley@hounix.uucp Synercom Technology | or ..uhnix1!hounix!bmedley 2500 City West Blvd., Suite 1100 | Internet: bmedley%hounix@uh.edu Houston TX 77042 | "My opinions are my own ..."
leichter@LRW.COM (Jerry Leichter) (02/09/91)
Bert Medley asks for information about virus protection software for VAX/VMS and Unix systems. I'll leave it to others to speak about Unix - - though I suspect the answers will be pretty much the same - but the story in the VMS world appears to be as follows: - As far as I'm aware, no VMS viruses have been reported so far. That's not at all to say that they can't be, or even haven't been, written; it's just that if there are any, they have either not spread much, or (if you insist on the paranoid view) are so good that no one has detected them yet. Note that most of the PC world's virus detectors are based on scanning for known viruses (of which so far hundreds are known). Since there are no known VMS viruses, it's meaning- less to use a VMS virus scanner of this sort at this point. - The protection mechanisms available on VMS (or Unix) are much more sophisticated than those on PC's. Again, this doesn't mean that viruses can't be written; it just means that they are harder to write, will likely be bigger - and will have to use more elaborate mechanisms to spread. In particular: "Boot sector"-like viruses - which gain con- trol during system boot - could only be inserted by software that managed to gain privileges. Similarly, viruses that wished to take over system calls would first have to gain privileges. On both Unix and VMS, this would be true even for a viral program trying to take over only calls made by programs run subsequently, in the same login session, by the same user. This means that some of the other common kinds of PC anti-virals - the boot-sector checkers and, particularly, the disk-write-monitors, are also pretty pointless on VMS systems. Actually, it even goes beyond that: On VMS, it is possible to set alarms on files that will log messages if any attempt is made to modify them. Turning the alarms off without set- ting off yet other alarms is quite difficult. Alternatively, the VMS on-disk structure is very complex; while a privileged program COULD write directly to the physical disk, it would require a lot of code for it to write to a particular block of a particular file without help from the file system (which could raise an alarm). Note that on any PARTICULAR system, one could determine ahead of time just what to write where; but that doesn't help a virus, which must be able to survive on its own. - On a VMS system with properly set up security, the most a virus could do is spread from one user's infected files, to other files he owns. If a user made an infected program available for others to run, anyone running the program could likewise see his files infected. However, unless an infected program were run by a privileged user, the virus could never gain privileges this way. A good security policy INSISTS that privileged users run ONLY trusted software - a Trojan Horse run by a privileged user is at least as much of a threat as a virus, in practice probably much more so. One way to think about this is that on a properly run system, each individual non-privileged user account acts like its own private PC and disk. Infections can spread within a PC/disk, but can only move from one to another by sharing. A privi- leged user is someone who gathers up all the private disks and perhaps looks at them on his machine. If he isn't care- ful, he can serve as a vector and spread a virus far and wide. - It is simple on a VMS system to configure an account for an end- user which does not allow the end-user to create new execu- tables, only run executables TO WHICH HE DOES NOT HAVE WRITE ACCESS. Such an account is immune to viruses: Even if one of those executables came to be infected, the virus in it couldn't spread, as it couldn't write to any other execut- ables. (Yes, we can get into all sorts of theoretical discussions about what constitutes an "executable" if there are things like macros and interpreters around - but nothing of this sort has been observed "in the field" as far as I know.) - The "infections" that have been reported on VMS systems have usually been network-related, and were not viruses in any real sense. (They were self-propagating command files that relied on the fact that, in a more innocent time, VMS systems usually allowed remote users to run small programs in a default account.) In summary: If someone tries to sell you a VMS anti-viral package AT THIS TIME, you should probably tell them to take a hike. Better, put them on the spot: Don't let them tell you in general terms what their package does, insist that they tell you IN DETAIL what risks they claim you face, what evidence they have that those risks are real, and how their product protects you from those risks in a way that the base system does not. -- Jerry