padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (02/04/91)
p1@arkham.wimsey.bc.ca (Rob Slade) writes concerning "boot sector protection": >It would not, unfortunately, deal with "stealth" boot viri like Joshi, and I >can see virus writers getting around it in other ways as well. I must disagree though the boot sector is a difficult place to put it and all sorts of housekeeping would be required. The partition table on the other hand is a nice place. The "stealth" viruses (JOSHI et al) operate by redirecting low-level interrupts to return only uninfected code. To do so, they must go resident in RAM. Once the OS loads, this is very difficult to detect since each OS does its own redirection. Prior to the OS load however, only the bare BIOS or ROM extension interrupts are available and these can be verified very easily and are sufficient to detect such attacks immediately. Padgett