frisk@rhi.hi.is (Fridrik Skulason) (02/06/90)
I have been comparing a few little-known virus-detection programs
recently. There is a problem with some of the less well known
programs, namely that they may appear as infected to some of the other
anti-virus programs.
The reason is that they sometimes store a virus identification string
in unmodified form, and in the case of the shorter viruses, two
programs may have picked the same identification string, which may
cause them to appear as infected to one another.
So - you anti-virus writers out there: Please store identification
strings encrypted, reversed or somehow modified.
Another subject - there is some confusion regarding the terms
"identification string" vs. "signature strings". How about:
Identification string: A sequence of bytes, used by anti-virus
programs to check if a program is infected.
Signature string: A sequence of bytes, used by the virus to check
if a program is infected.
Comments ?
Fridrik Skulason - University of Iceland, Computing Services.
frisk@rhi.hi.is Technical Editor, Virus Bulletin.CHESS@YKTVMV.BITNET (David.M..Chess) (02/12/90)
Fridrik S.: > How about: > > Identification string: A sequence of bytes, used by anti-virus > programs to check if a program is infected. > > Signature string: A sequence of bytes, used by the virus to check > if a program is infected. > > Comments ? Well, by an unhappy coincidence, we tend to use the terms more or less the other way around, around here. We call the thing that a virus checks for the "self-identification", and we call the things that our scanner scans for "signatures". (The self-identification, by the way, isn't always a string of bytes; it can be a bit-pattern in the timestamp, or just about anything else!) Note sure what to suggest to solve the problem; perhaps people can just stop to spell out what they mean when there's danger of ambiguity? DC