ts@uwasa.fi (Timo Salmi LASK) (08/13/90)
We recently placed (/pc/virus/)scanv66.zip for anonymous ftp
download from chyde.uwasa.fi, Vaasa, Finland, 128.214.12.3.
McAfee has benefited the PC community with excellent virus
checking facilities, but the new scanv66.zip includes a potentially
dangerous and controversial feature. To quote:
"This version of SCAN has added an option to
transparently attach a CRC validation code to all of
your executable files, your boot sector and your
partition table. This will help protect your system in
case a virus unknown to SCAN is encountered. SCAN will
check these validation codes if requested and will
alert the user to any files or system areas that have
changed."
Now there are two problems with this approach. On the practical
side this method destroys a program's own virus selftest, if it has
one inbuilt based on checksums. I may have made mistakes, but when I
tried scan /av out on two selftesting programs, the code that scan
attached naturally caused an alarm. But what is really alarming is
that when I told scan to remove its code, the selftest failed even
after that. This means that unless I made an error, scan could not
restore the files to their exact original state! The option /rv did
not work in my tests.
The second problem is one of principle, and is best left for
legally minded persons to work out, but let me point out the dilemma.
What McAfee's scan does is that it certifiably adds code to the host
program, if the user so chooses. Now this is tantamount to patching,
and very strictly speaking pacthing (at least copyrighted commercial)
programs may involve problems of legality. I think that this is
something McAfee should have cleared very carefully before releasing
this potentially compromising method. Having such a good reputation,
McAfee has at least taken a public risk here. I really do not know,
but be that as may, the method has too much virus-resemblance for
comfort.
..................................................................
Prof. Timo Salmi (Moderating at anon. ftp site 128.214.12.3)
School of Business Studies, University of Vaasa, SF-65101, Finland
Internet: ts@chyde.uwasa.fi Funet: gado::salmi Bitnet: salmi@finfunpjc@sirius.melb.bull.oz.au (Paul Carapetis) (08/20/90)
Prof. Timo Salmi states the following: > We recently placed (/pc/virus/)scanv66.zip for anonymous ftp > download from chyde.uwasa.fi, Vaasa, Finland, 128.214.12.3. > McAfee has benefited the PC community with excellent virus > checking facilities, but the new scanv66.zip includes a potentially > dangerous and controversial feature. To quote: > > "This version of SCAN has added an option to > transparently attach a CRC validation code to all of > your executable files, your boot sector and your > partition table. This will help protect your system in > case a virus unknown to SCAN is encountered. SCAN will > check these validation codes if requested and will > alert the user to any files or system areas that have > changed." > > Now there are two problems with this approach. On the practical > ..etc etc > The second problem is one of principle, and is best left for > legally minded persons to work out, but let me point out the dilemma. > What McAfee's scan does is that it certifiably adds code to the host > program, if the user so chooses. Now this is tantamount to patching, > and very strictly speaking pacthing (at least copyrighted commercial) > programs may involve problems of legality. I think that this is > something McAfee should have cleared very carefully before releasing > this potentially compromising method. Having such a good reputation, > McAfee has at least taken a public risk here. I really do not know, > but be that as may, the method has too much virus-resemblance for > comfort. McAfee has no legal obligation in this case. His program is "capable" of modifying files as are many other programs. The legal onus is upon the end user to check on licensing agreements that they have accepted when they bought and commenced using the software. If the license agreement explicitly states that the software is not to be modified by the user in any way, then the user must make the decision as whether to ignore this in order to provide better protection against "vandalware". I would suggest that software manufacturers worth their salt are currently implementing self-checking facilities for future releases of software and these companies would be extremely narrow minded to object to modification of current unchecked versions for this type of protection. | Paul Carapetis, Software Advisor (Unix, DOS) | Phone: 61 3 4200944 | | Melbourne Development Centre | Fax: 61 3 4200445 | | Bull HN Information Systems Australia Pty Ltd |-------------------------| | ACSnet : pjc@bull.oz | What's said here is my | | Internet: pjc@melb.bull.oz.au | opinion (and its right!)|