JHSangster@DOCKMASTER.ARPA (09/30/89)
It seems to me that this whole problem will be largely solved when and only when the vendors all start "signing" their software with a digital signature based on public key cryptography. At least then any one who wishes to check a program for authenticity need only check to see that it passes the digital signature check with the alleged vendor's public key. Of course you also have to know that the checking program hasn't been tampered with, the hardware hasn't been tampered with, etc., etc., but at least we would have a starting point for software authentication. The signature approach and the use of signature checking seem to me the only way to make definitive progress against viruses. All other approaches are dependent on details of the viruses code, which as we have seen change with time and with each new virus. Digital signatures will let us check that at least a trusted source has put its signature on the code, and that it has not been altered since then. Software developers will then have to get serious about preventing viruses from creeping in at the factory if they are not already serious. If members of the appropriate software standards body are listening, I hope they give consideration to such a standard ASAP. The standard should allow for both existing and future developers as well as private individuals (hobbyists who may develop freeware) to have a unique public key. Then software users who neglect to check the signature use the software at their own risk, but if they experience damage and can prove it, they will be in a position to apply some heat to the vendor who provided the signed, but infected, software. The ideal way to implement checking would be to build it into the loader. This may become feasible if a worldwide standard is adopted. Meanwhile checking could be implemented in a way which did not require ROM modifications. The standard could provide for inclusion of the vendor's public key and the resulting signature in the format of any loadable file. - -John Sangster SPHINX Technologies, Incorporated (617) 235-8801 / P.O. Box 81287, Wellesley Hills, MA 02181
S1CH@SDSUMUS.BITNET (Brian Piersel) (10/04/89)
I'm a new owner of an IBM AT compatible computer, and so I am not
very familiar with the various anti-virus programs. Could someone
explain to me how these work, and/or recommend one to get? Respond
directly to me, if possible. Thanks in advance...
------------------------------
Brian Piersel
BITNET: S1CH@SDSUMUS ICBM: 96.50W 44.20N
INTERNET: S1CH%SDSUMUS.BITNET@VM1.NoDak.EDU
(The Internet address doesn't always work)
"Live long and prosper."steve@ucsd.Edu (Steve Misrack) (10/10/89)
I was wondering if somebody could tell me where I can find program to detect machines infected with viruses. I would appreciate knowing where and how to get these programs. Thanks in advance, Steve smisrack@ucsd.edu [Ed. Start by taking a look at VIRUSCAN, available via anonymous FTP from the comp.virus archive sites (including ms.uky.edu).]
Michael_Kessler.Hum@mailgate.sfsu.edu (12/21/90)
I can't say that we have tested all the products on the market, nor done a side-by-side test of better known products, although we are intending to set up a test site in January (during the break when some time will be available for all concerned). Nonetheless, here is a preliminary report, which represents my impressions and should not be construed as an official position in any way, shape or form. One lab was constantly plagued with Yankee Doodle even though they used Scan and Vshield. The problem was that the start volumes (3Com LAN) could not have Vshield installed on them. Once F-Prot's F-DRIVER.SYS was installed (it can be installed on start volumes), the problem disappeared. The lab has been virus free for two weeks, whereas before there were daily occurences of infections. Another lab reported that F- Prot identified an infection of the Stoned virus while Scan did not (I suspect that the person using it may have forgotten the /M in the command line). There was also a complaint that VShield slows down the boot up process considerably, while F-DRIVER.SYS is hardly noticeable. For institutions, the McAfee product is expensive. For educational institutions F-Prot costs $1 per station. From our last discussion on the matter, it appears that F-Prot will be our first line of defense, (we are considering a site license rather than having each lab invest in the product) with a suggestion that various individual labs may want to invest in other products such as Scan or VI-Spy (the ethics of a single copy user for multiple stations has not really been addressed). The one negative comment about F-Prot is that the updates appear to be less frequent than one might wish. One final comment about individuals checking their disks. I installed a Virus Check menu item on hard disks (visible on the first screen that comes up) and on the network menus for those machines without hard disks. Nonetheless, the hard disks periodically get "stoned", in part because students use their own programs and therefore tend to boot up from their disks, but also because they neither believe that they are the ones carrying the infection, nor wish to spend the time to check their disks. They will do so only if they are warned that a program is infected. May this prove useful to others. MKessler@HUM.SFSU.EDU
sulistio@sutro.SFSU.EDU (Sulistio Muljadi) (12/21/90)
Michael_Kessler.Hum@mailgate.sfsu.edu wrote in VIRUS-L volume 205: > Subject: Virus protection (PC) > > [stuff deleted]... > The one > negative comment about F-Prot is that the updates appear to be less > frequent than one might wish. One other negative comment about F-Prot is: F-driver.sys does not check drive A for any possible boot sector virus when we warm boot the machine. The V-Shield does check drive A for any possible boot sector virus and will denied the warm boot if there is any boot sector virus in the floppy drive A. Hopefully frisk will implement this for his next version of F-PROT. It is a great program. - -- /\ Merry Christmas /* \ / * \ and / * \ / * \ Happy New Year / * * \ ^^^^^^^^^^^^ sulistio@futon.sfsu.edu ||| sulistio@sutro.sfsu.edu ||| sulistio@sfsuvax1.sfsu.edu ||| UUCP mail : mul@wet.UUCP ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^
frisk@rhi.hi.is (Fridrik Skulason) (01/04/91)
sulistio@sutro.SFSU.EDU (Sulistio Muljadi) writes: >Michael_Kessler.Hum@mailgate.sfsu.edu wrote in VIRUS-L volume 205: >> The one negative comment about F-Prot is that the updates appear to be less >> frequent than one might wish. Well, yes, I admit I send out updates less frequently than would be desirable, but I expect to send out a new version every 4 weeks or so in the future. The next version (1.14) should be ready any day now - I am busy adding routines to detect and remove all the viruses I received at the conference in Hamburg. > One other negative comment about F-Prot is: > >F-driver.sys does not check drive A for any possible boot sector virus >when we warm boot the machine. The V-Shield does check drive A for >any possible boot sector virus and will denied the warm boot if there >is any boot sector virus in the floppy drive A. Hopefully frisk will >implement this for his next version of F-PROT. It is a great program. Sounds like a good idea - I am not sure I will have time to add it in version 1.14, but if not then it will certainly appear in the next version after that. - -frisk