Kevin_Haney@NIHDCRT.BITNET (02/23/90)
With regard to Gerry Santoro's question about the IBM virus scanning
program, the author, Bill Arnold, is constantly updating the program,
improving its performance and including new viral signatures. The
current version is 1.37 which scans for 58 different signatures and I
assume that if you have an older one you can get an update from IBM.
There is a facility in the program that gives you the ability to add
new viruses to be scanned for by constructing a text file
(ADDENDA.LST) containing the signatures of new viruses. However, I do
not know of any central place where these signatures can be obtained.
While it is a valid concern that posting signatures may cause virus
authors to change them to create undetectable mutant viruses, I think
this is offset by the need to be able to update a scanning program
rapidly when a new virus is found. (It is also possible to choose
signatures that cannot be changed without rewriting the whole virus
program.)
Is there in fact a publicly accessible system where new virus
signatures can be found? If not, it seems that this digest would be a
good place to post such signatures as long as they come form a
reputable and verifiable source. What do others think?
[Ed. There are a few problems with posting virus signatures. First,
many developers choose, and indeed prefer, to use in-house developed
signatures. Second, some viruses cannot be detected by "traditional"
signature scans. There are more problems, I'm sure. Still, I'm not
at all opposed to people posting virus signatures, just as long as
everyone realizes the limitations of these signatures.]
_________________________________________________________
| |
| Kevin Haney, Computer Specialist |
| Division of Computer Research and Technology |
| National Institutes of Health |
| BITNET - Kevin_Haney@NIHDCRT.BITNET |
|_________________________________________________________|CHESS@YKTVMV.BITNET (David.M..Chess) (02/26/90)
Kevin_Haney@NIHDCRT.BITNET writes: > With regard to Gerry Santoro's question about the IBM virus scanning > program, the author, Bill Arnold, is constantly updating the program, > improving its performance and including new viral signatures. The > current version is 1.37 which scans for 58 different signatures and I > assume that if you have an older one you can get an update from IBM. IBM has made only one version of The IBM Virus Scanning Program available to the public; this is version 1.0, that was released in September of 1989. Any other versions of the IBM program are marked IBM Internal Use Only, and are not available to the public at this time. We definitely urge people *not* to use any program marked IBM Internal Use Only (except for IBM internal use, of course, or if you have a specific agreement signed with IBM allowing you to use it). Dave Chess IBM T. J. Watson Research Center
G.Moretti@massey.ac.nz (02/27/90)
> Re danger of publishing signature strings. How about publishing the signatures that have processed by a one way algorithm such as Xerox's SNEFRU? Knowing the processed signature would let you detect the original sequence without knowing exactly which bytes were used to form the original sequence. Possible? - ---------------------------------------------------------------------------- | GIOVANNI MORETTI, Consultant | EMail: G.Moretti@massey.ac.nz | |Computer Centre, Massey University | Ph 64 63 69099 x8398, FAX 64 63 505607 | | Palmerston North, New Zealand | QUITTERS NEVER WIN, WINNERS NEVER QUIT | - ----------------------------------------------------------------------------