cpreston@cup.portal.com (12/08/89)
Virus Immortality
There is a growing trend, not just in portable computers, to save
the state of the machine when the computer is "turned off".
This is a consideration for fault-tolerant or semi-fault-tolerant
systems, where there has been great attention paid to saving all
files and system state no matter what, but probably these system
administrators will be knowledgeable enough to work through the
problems created by system design.
There will, however, be users who don't understand what is
happening when they put a computer to sleep or turn it off, or even
remove the battery. In some cases, even removal of the power supply
(battery) does not kill the contents of RAM due to a "keep-alive"
smaller battery backup.
Leaving aside the other security implications of always
preserving RAM, (such as password retention or decrypted file
retention) virus detection and removal will certainly be more
confusing.
In other words, the current practice of telling computer users to
be sure their machine has been turned off during virus removal will
no longer be sufficient. Even the people who think they are being
extra careful by removing the battery for a minute or two will be
fooled.
Cases in point:
1. Macintosh Portable. The normal "off" mode is really a sleep
mode, with all RAM contents retained. At the touch of a key,
the user is able to continue with any operations in progress
at the time the machine was left. The running program (s) are
still running, data files open, etc. Removal of the main
battery will not erase RAM due to a 9 volt backup, designed to
ensure continuity during battery switches.
According to an Apple representative, use of the reset
switch (not the interrupt) will force an immediate power-off
to RAM, and a start-up with clean RAM.
2. Zenith MinisPort. Part of RAM can be configured as a non-
volatile RAM disk. A number of other machines have this
feature also. This shouldn't cause as much problem, since
people are used to permanent storage on disks and know that
it needs to be checked and purged. Extra RAM can also be
configured as EMS memory, probably also non-volatile.
3 Poqet pocket MS-DOS PC. Memory is powered all the time. Even
when the batteries are changed, a capacitor will keep the
system going for 10 to 15 minutes. The keyboard I/O "on/off"
switch merely puts the machine to sleep. There is a recessed
reset button which will purge RAM.
4 Toshiba portables. New portables, such as the T1000SE, have
an "auto-resume" feature to allow the computer to be turned
"off", including changing the battery, while RAM contents are
preserved.
5 Emerson Accucard. This is an IBM PC hardware card with its
own battery. It is designed to detect a power failure, and
save the state of the machine to disk before shutting down.
When I called both the company and their national distributor,
nobody could tell me whether there was any way to defeat this
system, such as cold booting from a floppy disk, without
physically removing the card. They promised to call back with
more information.