tfarrell@lynx.northeastern.edu (12/05/90)
I use a program on my hard drive called LZEXE. It is a shareware program from France, used to compress EXE files so that they take up less disk space. It often achieves approximately 50% savings, and still allows you to run the program. It decompresses the file directly into memory at an astounding speed. If you have a 286 or better, you probably wouldn't even notice the loss of time. The really neat part, though, is that it includes a self-check into every file compressed with the utility, so that if the file has been changed it will notify you. This would detect the presence of a virus in the software. The program is easy to use, and can also compress COM programs if they are converted to EXE's. I would be willing to file transfer it to anyone who wants it directly from my PC. I've been using it for about 6 months now without problem, and it passes the latest SCAN I have, so I think it's safe to assume it's clean. Anyway, if you want to file transfer it from me, send me E-mail at my above listed address and we can make arrangements. I support most standard transfer protocols. Tom Farrell
RADAI@HUJIVMS.BITNET (Y. Radai) (12/06/90)
Tom Farrell writes: >I use a program on my hard drive called LZEXE. It is a shareware >program from France, used to compress EXE files so that they take up >less disk space. It often achieves approximately 50% savings, and >still allows you to run the program. .... > .... The really neat part, >though, is that it includes a self-check into every file compressed >with the utility, so that if the file has been changed it will notify >you. This would detect the presence of a virus in the software. LZEXE really is a nice program, but the part about virus detection is misleading at best. If a virus infects an executable *after* it has been LZEXE-compressed, then this should get detected by LZEXE's CRC check. (Actually, even this part is no longer correct since this check was apparently removed in Ver. 0.91 of LZEXE.) But the CRC check doesn't help in the least if the file was infected *before* compression. In fact, compression makes matters *worse* in this case since most programs which scan files for known viruses will not detect them within a compressed file. (A few anti-viral programs, such as McAfee's SCAN and Skulason's F-FCHK have been modified to recognize known viruses within LZEXE-compressed files. Unfortunately, this doesn't help against other methods of executable compression, e.g. Microsoft's EXEPACK.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET
frisk@rhi.hi.is (Fridrik Skulason) (12/08/90)
tfarrell@lynx.northeastern.edu writes: >The really neat part, >though, is that it includes a self-check into every file compressed >with the utility, so that if the file has been changed it will notify >you. This would detect the presence of a virus in the software. No...no...no... Remember - if the program is infected after it is LZEXEd, then the virus will be activated first, when the program is executed. If it is a "stealth" type virus, the LZEXE self-test is useless, as the infected program will appear uncorrupted. On the other hand, if the program is first infected, and then LZEXEd, the main effect will be that the majority of current anti-virus programs will not detect the virus. McAfee's SCAN will, and my own F-PROT, but I know of no other programs capable of scanning LZEXE-packed files. This is a nice program, but not of much use against viruses... - -frisk
davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr) (12/11/90)
frisk@rhi.hi.is (Fridrik Skulason) writes: | On the other hand, if the program is first infected, and then LZEXEd, | the main effect will be that the majority of current anti-virus | programs will not detect the virus. McAfee's SCAN will, and my own | F-PROT, but I know of no other programs capable of scanning | LZEXE-packed files. | | This is a nice program, but not of much use against viruses... I'm not sure that's correct... the steath virus will return an uncorrupted copy of the program when read by a checking program, and presumably this is what gets compressed by lzexe. I read it as making the non-stealth harder to find, and eliminating the stealth completely. Comments? - -- bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) VMS is a text-only adventure game. If you win you can use unix.
frisk@rhi.hi.is (Fridrik Skulason) (12/15/90)
davidsen@crdos1.crd.ge.COM (Wm E Davidsen Jr) writes: >frisk@rhi.hi.is (Fridrik Skulason) writes: > >| On the other hand, if the program is first infected, and then LZEXEd, >| the main effect will be that the majority of current anti-virus >| programs will not detect the virus. > > I'm not sure that's correct... the steath virus will return an >uncorrupted copy of the program when read by a checking program, and >presumably this is what gets compressed by lzexe. Ah - only if the virus is active when the program is LZEXEd - I am assuming somebody might be using LZEXE on programs known to be infected, in order to hide the virus. That person would be careful not to have the virus active at the time. If the virus is active, you are correct - the stealth virus will be eliminated. - -frisk