71435.1777@CompuServe.COM (Bob Bosen) (11/03/90)
In Vol 3 issue # 175, Smith writes: >Virus-L digest entries frequently refer to McAfee's products, >especially the SCAN products, for detecting viruses. Much less >frequently, reference is made to one or two other detection >products. Certainly there must be others out there, aren't there? Yes. I hope you'll consider "SafeWord VIRUS-Safe" from my company. It is an extension to MS-DOS that automatically and transparently examines all your programs as they are loaded for execution. It quickly calculates a non-forgeable signature for each program being executed and compares that signature with records from prior executions. If anything has changed since the last time it was run, the user is alerted. Otherwise, execution continues without any disruption. It detects the spread of all known MS-DOS viruses, and is believed to be capable of detecting the spread of all unknown viruses when installed and operated according to our recommendations. The signatures it calculates are consistent with ANSI and ISO standards. This is commercial software, not shareware. The product design is optimized for very large installations where hundreds or thousands of PCs must be protected by a few specialists. Since virus-specific tools like those from McAfee and Skulasen require updating every week or so in order to be truly expert at removal, they may not be practical as a first line of defense in large organizations. Our product is intended as a companion to these other products in large organizations, so the "rank and file" can be alerted to suspicious file changes. Our product maintains detailed audit trails to help the experts do their jobs after suspicious behavior is detected. It's a good match. - -Bob Bosen- Enigma Logic Inc. Concord, CA 94520 Internet: 71435.1777@COMPUSERVE.COM Tel: (415) 827-5707 FAX: (415) 827-2593
vail@tegra.com (Johnathan Vail) (11/08/90)
71435.1777@CompuServe.COM (Bob Bosen) writes: Yes. I hope you'll consider "SafeWord VIRUS-Safe" from my company. It is an extension to MS-DOS that automatically and transparently examines all your programs as they are loaded for execution. It quickly calculates a non-forgeable signature for each program being executed and compares that signature with records from prior executions. If anything has changed since the last time it was run, the user is alerted. Otherwise, execution continues without any disruption. It detects the spread of all known MS-DOS viruses, and is believed to be capable of detecting the spread of all unknown viruses This technique seems to be a good one for screening for *propogation* if viruses on a system or network. I have some questions and some what if's to run by, if I may: - -- This doesn't detect the program that is spreading the virus, only the ones that have been subsequently infected. Correct? - -- Does this provide any protection from attacks on COMMAND.COM, boot sectors or general attacks through DOS or BIOS? - -- Are there programs that legitimately modify themselves with various defaults and setup that can trigger the virus detector? Thanks, jv "... until then, any action will be like trying to herd cats." -- Gene Spafford _____ | | Johnathan Vail | n1dxg@tegra.com |Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet) ----- jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail
71435.1777@CompuServe.COM (Bob Bosen) (11/17/90)
In volume 182, Johnathan Vail refers to my company's product "SafeWord VIRUS-Safe", stating "This technique seems to be a good one for screening for *propogation* if viruses on a system or network." He then asked me some questions, which I hereby answer as follows: >Q: This doesn't detect the program that is spreading the virus, only >the ones that have been subsequently infected. Correct? A: Correct. The information necessary to identify the offending virus is stored in a separate "audit trail" file that records the before-and-after file sizes, before-and-after signatures, date and time when signatures were verified and date and time when changes were detected, and also a record of when the user was notified of detected changes and how the user decided to handle the situation. The intent here is that the audit trail file will help a virus troubleshooter make a quick and accurate determination of what has caused the problem, when it entered the system, and how far it has spread. >Q: Does this provide any protection from attacks on COMMAND.COM, boot sectors or general attacks through DOS or BIOS? A: Yes. Also on IBMBIO.COM (and functional equivalents by other names), IBMDOS.COM (and functional equivalents by other names), partition tables, any normally unused sectors that usually reside physically adjacent to these items, the "leftover" bytes between the ends of these items and the clusters containing them, etc. >Q: Are there programs that legitimately modify themselves with various defaults and setup that can trigger the virus detector? A: Yes. Although these are fairly unusual, they do exist and we handle them simply. Whenever a change is detected in a file, we open up a window and ask the user if they know of a good REASON why the change in the file's signature should be authorized. We suggest the possibility of a configuration change or update since the date when the previous signature was calculated. If the operator indicates that the changed signature is expected, then we record the operator's comments in the audit trail file, update the corresponding file signature, and proceed. We have found that the resulting audit trail paints a very accurate and comprehensive picture of the integrity of the system, and any patterns of infection are quickly deduced by a virus-knowledgeable person that examines the audit trail file. This provides valuable guidance to a virus expert armed with the latest from Skulasen or McAfee. (Remember, this is COMMERCIAL software, not shareware or public-domain. It is intended for use in large populations of MS-DOS machines as an integrity check, in support of a group of virus experts armed with virus-specific removal tools.) - -Bob Bosen- Enigma Logic Inc. 2151 Salvio Street, #301 Concord, CA 94565 USA Tel: (415) 827-5707 FAX: (415) 827-2593 Internet: 71435.1777@COMPUSERVE.COM