V2002A@TEMPLEVM.BITNET (02/02/90)
Hi,
Ben Smith had an idea to monitor actions taken by programs
and compare those actions with what the vendor says the program needs
to do in order to function.
I hate to shoot this down but consider this hypothetical case:
"PC-DOS V8.0" includes a security monitor with a list of privileges
for "Norton Super Utilities V6". This list has "modify memory" and
"write boot sector" listed for Norton.
Now suppose that a virus instead of trying to modify the boot
sector by itself, modifies Norton Disk Doctor to do the dirty work?
The monitor program would allow the Disk Doctor full access to the
boot sector and not know that it was really a corrupted Disk Doctor
actually writing viral code to the boot sector instead of making
repairs like the Disk Doctor normally does.
My point is that even if a program is allowed to perform some
action, how is the monitor supposed to know whether that action is
legitimate or not?
Andy Wing
Senior Analyst
Temple University School of Medicine