padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (01/11/91)
Being a new year and having some time over the holidays to collect a few thoughts on PC (IBM-type) viral protection. First off, the only effective solution to unknown boot sector viruses (as well as known ones) would have to be in the form of an Int 13 intercept, and the only time that the system is both stable and known that software can affect is on the partition table read following POST since neither DOS nor anything else has revectored the interrupts yet. Since there is no way short of hardware to prevent floppy booting, protection must take place here. This way, even if an infection takes place, it can be detected immediately, something I do not believe can be guarenteed at any later time (e.g. in CONFIG.SYS or AUTOEXEC.BAT). A second layer is some form of system protection that monitors the operating system and prevents subversion. The easiest method would be to incorporate this into the "special" partition table but must be recognized as a separate task. The next layer of protection would be authentication of files presented to the operating system for execution such as any number of systems do (Enigma-Logic's VIRUS-SAFE, McAffee's SCAN with the /AV, or the Dr. Panda Utilities plus many others). Such authentication can only be effective if the operating system can be trusted when it is invoked. Finally, some form of authentication or denial of unknown programs presented to the system (floppies) must be provided, such as with McAfee's VSHIELD, Fridrik's F-PROT, or CERTUS. The trouble is that such scanning is only good on known infections and must be kept up to date. For many the thought of updating 5000 machines with no budget is horrifying. Intelligent application of these four elements should reduce risk of infection to near zero and detect the remainder as soon as they happen. Lately, I have been playing with some "smart" partition table programs and other than the difficulty of debugging (when you make a mistake, on boot the PC just sits there smiling at you) and proper handling of registers in a 50h byte "nitch", it is proving very interesting. For instance "fixing" a PC so that if it is booted fom a floppy, the hard drive is just not there to DOS is trivial and STONED/JOSHI/BRAIN attacks are immediately detected. Having fun in the Sun Padgett ps some of the techniques found could correct viral mistakes so I cannot discuss these in an open forum or with unknown individuals however, the above should point to things to look for in a "good" anti-virus program or mix of programs.