SOFPJF%UOGUELPH.BITNET@VMA.CC.CMU.EDU (Peter Jaspers-Fayer) (10/12/89)
We got a copy of IBM's virus scanner. It is much like McAfee's SCAN, with these differences: - - It is out of date. McAfee's product is disseminated via network (a fact which is looked upon with scorn - or at least with distrust - by many corporate people) so it is very current. IBM's checks for 20+ viruses which are mostly fairly old, vs 40+ for John's program, some of them only weeks old. I feel this is an important point, as viruses CAN spread as fast as eMail. - - IBM's says it checks the "master boot" (partition) record. Does McAfee's? The documentation says so, but the 'running commentary' does not mention it. - - The 'characteristic code signatures' are in plain text, in separate, easily editable files. This allows one to easily add new viruses with any DOS text editor. So when you read (here for instance) that the new 'garble' virus can be located by scanning for '00486921FF' it is trivial to edit your copy of the table to add scanning for that type of virus. You can also use the same program in a 'grep-like' way to scan for any arbitrary string on the disk. (eg 'Copyright') To my mind, this has it's advantages and disadvantages. I like the idea of publishing 'code signatures', and having people configure their own scanners. Unfortunately, this also makes it easier for virus/modifiers to see how they are being caught (like bank robbers monitoring Police radio, I guess), and make small mods to make the virus 'undetectable' with that particular signature. I certainly have nothing against John and all the work he's done for us, but it seems to me IBM's way moves control into the hands of the people, and is more 'open' (gee, come to think of it, that's pretty strange, considering origin ;-) (N.B. 'smiley', IBM!) Any other thoughts on the pro's and con's of having the search strings in pain human-editable text? Could someone CC this to John McAfee and post his reply? /PJ How did a fool and his money ever get together in the first place? - Anon