padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (01/12/91)
>> From: Mr Gordon S Byron <gsb1@forth.stirling.ac.uk> >> >> I am interested in finding a DOS antivirus program which would >> automatically scan disks as they are inserted. ideally, something like >> SAM II on the Mac. Could be done with something hooking the timer but why ? MACs execute code on the floppy when inserted but an IBM or clone does not (unless you try to boot from it). Under MS-DOS, a program must be requested for execution before it is loaded and that is when good anti-viral programs do their thing. >From: Carlos Jimenez <cjimenez@anyware.es> >Subject: Re:Prevent hard disk infection? (PC) >>Is there any way to prevent a virus from infecting a hard disk when >>you cold boot with an infected diskette in drive a: ? (I should have >>written "when you unfortunately have left a diskette in drive a:" or >>"when you leave your computer unattended and someone boots from a >>diskette"). >> >>Paul M. Monat Lab Manager Phone: 613-564-6895/6500 >When a boot sector virus infects a disquette (with or without operating system ) >it can make a boot sector that can infect any hard disk using > - direct access to hard disk port > (I don't know any virus that use this method actually), They do not because many disks use different ports and access methods so one single method will not work well. Most hardcards and non-standard disks (EDSI, SCSI) use their own ROM extensions located at a different address so a virus cannot tell just where to look (incidently, a similar reason is why DOS viruses do not fare well under unix or OS/2). > - BIOS Int 13h Function 03 (Write sector) > (like Stoned) Yup > - DOS Int 26h (Write absolute sector). > (like Bouncing Ball, Boot sector infectors cannot use this since Int 26 is not there until after DOS loads (and usually goes through Int 13 ultimately as do most of the Int 21 functions that do disk access anyway). >The third method of infection has a solution using software. If you >clear the partition table of your hard disk, the DOS can't recognize >the hard disk (like it hasn't low level format), and Int 26h calls >will fail. For a sucessfull boot from hard disk you must change the >original bootstart routine by another, that writes the original >partition table and then reads the boot sector of the active partition >and execute it. You must include a program that clears again the >partition table (I have a driver in CONFIG.SYS) This is what I have been playing with except that the copying of sectors is a crude way to do it - a custom partition sector either not containing the partition table or with an encrypted table is much more effective. You can also check for certain things like a hooked Int 13 very easily since you are dealing with the bare BIOS at this point - something impossible from either CONFIG.SYS or AUTOEXEC.BAT. Another plus is that you can do many other things from here like prevention of hard disk formatting, partition table corruption, and passing of clean system parameters to the rest of the anti-virus program invoked later. and may have just found a nice 69 Grand Prix, whee, Padgett
phaedrus@milton.u.washington.edu (Mark Phaedrus) (01/12/91)
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) writes: [another user's request for something for the PC similar to Mac's SAM deleted] >Could be done with something hooking the timer but why ? MACs execute >code on the floppy when inserted but an IBM or clone does not (unless >you try to boot from it). Under MS-DOS, a program must be requested >for execution before it is loaded and that is when good anti-viral >programs do their thing. Not to pick nits here, but this contains a pretty common misconception about the Mac that should be cleared up (since it's important when considering Mac virus protection). Macs do not automatically "execute code on the floppy when inserted." If you have infected application files in a floppy disk and you insert it, nothing adverse will happen unless you actually try to launch the infected application The Mac viruses (notably WDEF) that infect immediately on disk insertion do this because of the way the Finder stores information on disk, and the way Mac file contents are accessed. Most file access on a Mac is resource-based; instead of a program asking for a specific range of bytes, it asks for, say, desk accessory #12. Depending on which access calls the program uses, it can either look for that resource in one specific file, or in all the currently-opened files, looking in the most recently-opened first (which the System itself usually does). That's how programs like Suitcase II that let you add new fonts and DAs on the fly work; they just hold the new files open, and the System automatically looks through them for resources as well. Every Mac disk has a "Desktop" file that keeps track of where applications are, what their icons look like, etc. When you're running the Finder, it keeps all these files open. The WDEF and similar viruses sneak in by infecting these Desktop files with a resource that's the same ID as one the System uses; when the System looks for this resource, it picks the one in the Desktop file over the one in the System file, since the Desktop file was opened more recently. If the resource is one that would normally be executed (like a WDEF, which tells the Mac how to draw windows), the System will execute the infected resource, which can then copy itself to other Desktop files or do anything else it wants to do. Once you understand how the virus enters and spreads, it's not nearly as threatening. Unless you're running the Finder (or some other program that uses Desktop information), it doesn't matter whether a disk is WDEF-infected or not, since that file is never opened. If you hold down Command-Option during a restart or while inserting a disk (which forces the Desktop to be rebuilt), the virus is eliminated without infecting the Mac, since the infected Desktop file is deleted and replaced by a clean copy. Finally, if you're using Desktop Manager (which I would heartily recommend), your hard disk can't be infected, since there's no Desktop file on it at all and since the files that replace it don't store resources.-- Internet: phaedrus@u.washington.edu (University of Washington, Seattle) The views expressed here are not those of this station or its management. "If you can keep your head while those about you are losing theirs, consider an exciting career as a guillotine operator!"