chrisj@cs.utexas.edu (Chris Johnson) (10/24/89)
In VIRUS-L Digest V2 #216, Henry C. Schmitt writes: >I have used both GateKeeper and SAM Intercept and I prefer the >latter. The main reason? When "something suspicious" happens, >GateKeeper says "you can't do that!" then if you want to override, >you must open the Control Panel select GateKeeper and set up the >permission; with SAM Intercept, at the time of the happening you can >allow the action once or LEARN the action then and there! The reason Gatekeeper does not bring up a custom dialog that would let the user allow an operation, is neither sloth, nor indifference to the plight of the user. The reason is *compatibility*. Apple will guarantee that the Notification Manager, which Gatekeeper uses to display its alerts, will be compatible with virtually all software and will certainly be compatible with all future versions of the System. SAM's custom dialog may break in future releases of the System - or it may not. For myself, I can't think of any method that's worth the risk. Since the author of SAM probably had support from Apple DTS, he may have been provided with techniques that would make a safe implementation possible. I, regrettably, have no real access to DTS (becoming a registered developer requires money I just don't have). If anyone at DTS would be willing to offer some advice on safe ways of approaching the custom-alert problem, I'd *love* to hear it. (Hint, hint.) :-) One other point though (and please correct me if I'm wrong), I've been told that SAM doesn't provide a way to view all of the privileges that have been granted to various applications, let alone a method of editing them. If this is the case, I have to view it as a far greater problem with SAM, than on-the- fly configuration is with Gatekeeper. If someone using your machine inadvert- antly or unwittingly clicks on the LEARN button when a virus attack is detected, your copy of SAM will have been programmed to let a virus attack succed in that case, and you'll probably never find out. Like I said, though, please correct me if I'm mistaken. On the subject of the Gatekeeper Log file: >I only see this as being useful if you're trying to track the >propagation of a virus, but then you have to allow the "suspicious >action" which GateKeeper doesn't do (unless you gave permission, in >which case it isn't logged!) Depends what you mean by "propagation." If you mean the successful spread of a virus, then yes, Gatekeeper won't tell you much simply because it won't permit the spreading to occur in the first place. :-) But consider what the log file *does* do for you... it will tell you where all of the infection attempts originated from, when they started, what characterized the infection attempt, and it'll even tell you whether or not your machine was booted on a floppy disk and infected that way. Furthermore, if you're a person attempting to quickly gain an understanding of a virus' infection mechanism, running Gatekeeper on a test machine in its "notify only" mode will give you an immediate run-down on how the virus works. Also, each virus has its own "signature" - even when Gatekeeper stops the virus' spread - in the log file. It is easy, for instance, to tell INIT 29 from Scores merely by looking at the records of their failed attempts at infection as recorded in the Gatekeeper Log. This makes it equally easy to indentify both new strains of existing viruses, and totally new viruses. The log file provides an incredible amount of documentation that can be, I believe, extremely useful in protecting an individual or an entire corporation from the influx of viruses. >I'm not trying to put down GateKeeper, if you want to fight viruses >cheaply, it's a must! Keep up the good work Chris! > > Henry C. Schmitt Thanks! Gatekeeper 1.2 is in the works. In the same spirit, I'm not trying to put down SAM - I'm just trying to make sure that Gatekeeper gets full credit where it's due. - ----Chris (Johnson) - ----Author of Gatekeeper - ----chrisj@emx.utexas.edu