Alan_J_Roberts@cup.portal.com (02/27/90)
This is a forward from John McAfee: ================================================================= A number of Virus-L entries over the past couple of months have discussed virus disinfection issues and the problems with disinfecting certain viruses. Vesselin Bontchev yesterday wrote: >I spoke with David Chess (at IBM) and he prefers the "delete the >infected file and restore them from backups" method. But have in >mind, that the guy from Taiwan is in trouble --- and may not have >appropriate backups. I understand Vesselin's point, but in general I favor Dave's approach. In spite of the fact that I produce and distribute a number of disinfector programs, including CLEAN-UP, I always suggest deleting as a first choice. There are many reasons for this, but the primary one is that the process of disinfecting a file always leaves an element of uncertainty in the system. For example, the Jerusalem virus uses information in the EXE header record to determine how to infect. Often this header record is inaccurate, causing the virus to overlay part of the EXE file, and also causing the virus to update the header record incorrectly. The virus has, in effect, destroyed part of the EXE file, and this destruction is often not noticed immediately by the user. The corrupted area might be seldom referenced, or in a program function area that is bypassed in normal processing. If this is the case, removal will leave a program that will at some point cause inconsistencies, data corruption, or system crashes when the erased area is referenced. There is simply no way to recover the file because there is no way (short of using the original uninfected program) to determine what was in the file before it was overwritten. The Jerusalem is not alone in causing these problems. There are numerous EXE infectors and some COM infectors (405, Vienna) that cannot be successfully recovered in all cases. What complicates the matter is that it cannot be determined in advance (in all cases) which files will disinfect correctly and which will not. We are left then with a system that will have no more viruses, but we may have applications that are subtly corrupted. This is not good. A program that seems to work, but may have brain damage in a seldom used subroutine, can be as troublesome as a virus. In addition to the above problems, many viruses are continually being modified so that identification may still work, but disinfection will cause complete destruction of the file due to changed offsets and other programming issues. To get back to my point, I would strongly suggest that infected files be overwritten in their entirety and then deleted if at all possible. Only as a last resort, where backups or original diskettes are unavailable, should disinfection be used. John McAfee