chrisj@cs.utexas.edu (Chris Johnson) (10/24/89)
In VIRUS-L Digest V2 #217, Richard Kennaway (kennaway@sys.uea.ac.uk) writes: >Paranoid speculation follows. Paranoia, being a disease, is an inherently bad thing. What follows is, I believe, an unfortunate illustration. >Maybe someone is using the Joker's trick. There could be several >infected applications out there, all quietly spreading harmless-looking >things like STR 801 that dont ring GateKeeper's alarms, but when they >all come together in one application, the real virus is triggered... More likely, there's no virus *at*all*. I do believe this is pure paranoia. Further, there's a good reason that things like STR resources look harmless: they are. Period. They aren't executable, so they don't get executed. In and of themsleves they are *utterly* harmless. The end. For a virus to spread executable code has to move. Although *no* anti-virus scheme is perfect, that is exactly the kind of thing that Gatekeeper watches for. There's no such dichotomy as "real virus" versus un-real virus - either it is a virus, or it isn't. That means that this "Jocker's trick" is essentially nonsense - in order for the "harmless-looking things like STR 801" to spread there has to be a real- live virus *doing* the spreading - a virus which, in all probability, systems like Gatekeeper will stop. >Plug for Virus Detective: with this it was easy to search for all files >containing STR 700 (legitimate MacWrite resource) or STR 801. All the >other virus detectors I've seen have the symptoms to look for >hard-wired. I have no relationship with the author other than being a >satisfied customer. Philosophical Point: The problem with tools is that the users have to under- stand how they work, what they do, and how to use them. A failure of the user on any of these points results in the tool being unable to accomplish its intended purpose. Virus Detective is a fine tool, but it's not being correctly employed here. Sure enough, most MacWrite files have STR 700 and 801 resources, but just because Virus Detective will allow a person to discover this, *doesn't* in any way indicate the presence or involvement of a virus. Like any tool Virus Detective can be used correctly or incorrectly -- in this case it is being used in an incorrect manner, since the key issue, whether or not there is any reason to believe a virus is involved, has been sidestepped. Virus Detective is now merely serving as a tool to "confirm" baseless fears and assertions. Gatekeeper being more a "system" than a "tool", is less prone to feeding wild speculation, since it has its own means of identifying the presense of a virus and, as a result, does not require that the user be a skilled Mac programmer capable of searching out and analyzing would-be new viruses. Of course, Gatekeeper is fallible... but that usually means that users are merely required to tell it what *isn't* a virus, rather than having to search out new viruses from scratch like searching for needles that may-or-may-not be hidden in hay stacks. STRs 801 and 700 are good examples of strands of hay mistaken for needles. Returning to Gatekeeper, the symptoms are not quite "hard-wired". Gatekeeper's philosophy is, basically, that if a virus can't move, add, modify or delete executable resources (there are about 24 types), then it can't spread. And a virus that can't spread isn't really a virus anymore. Of course, you'll still want something like Disinfectant to remove the effectively sterilized virus. The list of executable resources is certainly not hard-wired - it's easily edited by following the instructions in the on-line help. The type of monitoring that Gatekeeper does *is* hard-wired, but in order to establish that this is a problem, a way must first be found to spread a virus without moving, adding, modifying or deleting executable resources. In short, the hard-wired aspects of Gatekeeper are not a problem - they are *fundamental* protections. This is why Gatekeeper has been able to stop every Mac virus discovered to date, including totally new viruses like ANTI and INIT 29 which were developed *after* Gatekeeper was written. I should add that Gatekeeper's security system has not had to change since it was first released on 2-Jan-89, precisely because it is such a fundamental approach to stopping viruses. Gatekeeper isn't perfect - no anti-virus system is - but it's very good. I, personally, tend to be a bit defensive with regard to Gatekeeper because I've observed a number of misconceptions that do it sad injustices, while johnny-come-lately packages like SAM and the Virex INIT, etc. are heralded as the first and only fundamental solutions to the Macintosh virus problem. Since Gatekeeper was discussed here in a misleading manner I thought it was important to try to put an end to, at least, the misconceptions illustrated here. As to the alleged MacWrite virus - paranoia tends to spread... and I've seen a number of postings to other newsgroups from people scared because they've discovered perfectly normal STR resources in their MacWrite documents. This never should have happened. The fact is, the burden of proof is on he who asserts the positive. Yet, for all the talk about this new virus, there's still been no offer of proof of the virus's existence. Nonetheless, the paranoia spreads due to these baseless assertions. If there's some proof, we *need* it and blessings upon whoever provides it, but, for lack of that proof, this discussion should have been terminated long ago. Given that there's been a delay in the VIRUS-L news recently, maybe this discussion has already died, and I've ranted on needlessly. I certainly hope that's the case. - ----Chris (Johnson) - ----Author of Gatekeeper - ----chrisj@emx.utexas.edu