[comp.sys.ibm.pc.misc] Virus protection: what to use.

avinash@felix.contex.com (Avinash Chopde) (06/25/91)

I was looking around on the garbo.uwasa.fi site and found it had
plenty of virus scanners/fixer programs.
Do I need to get hold of all of them, or are there one or two
which should suffice ?

And, I'm interested in hearing about any of your own procedures that you
follow to prevent virus infections and perform virus cleanups.
-- 
---------------------------
Avinash Chopde            home :   508 470 1190     office : 617 224 5582
avinash@contex.com       (if that fails, use: contex!avinash@uunet.uu.net)

mig@cunixa.cc.columbia.edu (Meir) (06/26/91)

In article <1964@contex.contex.com> avinash@felix.contex.com (Avinash Chopde) writes:
Scan is one of the best, its companion is called clean.
Try SCANV77.ZIP....  DON'T USE VERSION 78!!!  OSomeone uploaded a copy to a BBS
that had a trojan in it.  Also, there is at least one new virus which will get
by 77.  79 should be coming soon, I guess.

* * * * * *  ====================== Meir Green
 * * * * * * ====================== (Internet) mig@cunixb.cc.columbia.edu
* * * * * *  ====================== meir@msb.com  mig@asteroids.cs.columbia.edu
 * * * * * * ====================== (Amateur Radio) N2JPG

mcafee@netcom.COM (McAfee Associates) (06/26/91)

In article <1964@contex.contex.com> avinash@felix.contex.com (Avinash Chopde) writes:
>I was looking around on the garbo.uwasa.fi site and found it had
>plenty of virus scanners/fixer programs.
>Do I need to get hold of all of them, or are there one or two
>which should suffice ?
>
>And, I'm interested in hearing about any of your own procedures that you
>follow to prevent virus infections and perform virus cleanups.
>-- 
>---------------------------
>Avinash Chopde            home :   508 470 1190     office : 617 224 5582
>avinash@contex.com       (if that fails, use: contex!avinash@uunet.uu.net)

Hello Mr. Chopde,

There are lots of anti-viral programs available now, both shareware and
commercial, so without trying to be too specific, here are some things
you may wish to look for:

1.	Type of virus detection offered:  That is, upon what criteria does
the anti-viral program base its "decision" that a virus has been found?  This
is generally broken down into three categories:  filters, changer checkers,
and scanners.

A filter is a program that installs itself as a TSR and monitors
the system for virus-like activity (i.e., attempting to format a hard disk,
write to a program file, and so forth).  Filters have the advantage of being
able to detect new viruses because they are not looking for specific viruses,
but rather virus-methods.  The disadvantage is that they can be prone to
false-alarms by programs which may do virus-like activities for legitimate
reasons (say an OS or application update program that patches the executable
code of the original program); they also have to be periodically updated 
when new virus-techniques appear that the program did not monitor; also they
may have to be configured to allow programs that may do virus-like activities
(say, a disk optimization program) to function--this is not really a problem
with individual (home) users, but if you're responsible for several 100's of
PC's, installation could be painful. 

A change checker (and this is a category that includes checksum, cyclic
redundancy checks (CRC's), cryptographic checks, and so on) is a program
that computes a known value for a program file (or other area of the system)
and is then periodically run to compare the program file against.  If the
known value and the just-computed value don't match, then the file has been
modified and may be infected with a virus or otherwise tampered with.  The
advantages to change checkers are that they will detect known and unknown
viruses, like the filter, because they are not checking for specific pieces
of code, but rather for changes to a computed value.  They're also good for
spotting tampering--more of a computer security-related concern then virus-
specific, but it is a function.  The disadvantages of this method are that
this only works if the change checker is installed on a virus-free machine,
otherwise the known values computed will reflect the viral code attached to
its host; also, it's been theorized that if the method of change checking is
known, a virus could be written to add itself to files in such a way that a
checksum identical to the known (good) checksum is generated; the last problem
I can think of with change checkers is that if there is a "stealth" virus
present (A virus that installs itself as kind of a "file handler" in the OS)
then the virus will trap reads by the change checking program, remove the
viral code from the infected file, and then pass on to the CC program a
"clean" file.  This last one can be prevented by booting the computer with a 
clean (virus-free) operating system and then running the change checking
program.

A scanner works by checking the system for pieces of code unique to each
virus.  The scanner reads the files (boot sector, partition table, etc) of
a disk and does a match against a database of bytes that are segments of
viral code unique to each virus.  When a match occurs, a virus is reported.
This is effective for finding known viruses, since a positive ID against
the virus is made.  Of course, a false alarm could also occur if a file
had the same instructions in it.  Scanners can also check for "generic"
routines, like a series of program instructions to format a disk, but 
these are not as reliable as the matching of viral code with its 
"fingerprint" of bytes because a file may have use such a routine for
legitimate purposes.  Disadvantages to this are that a scanner will only
detect known viruses and must be updated frequently, a "stealth" virus
could hide from the scanner, and possible false alarms.  And of course,
as more viruses are added, the scanner gets s l o w e r.


2.  Vendor Support:  That is, what sort of assistance will the manufacturer
provide? 

Anti-viral software (like any software tool, only more so <GRIN>) generally
requires more assistance then other forms of software, or perhaps I should
say, more assistance of a specialized nature.  Removing a virus can be
somewhat tricky because a long set of steps have to be precisely followed
to remove a virus AND prevent re-infection.  And of course, there is the
matter of any data on infected media that may have been corrupted in some
way.  So, knowledge (and it's accompanying twin, experience) are a factor.
What sort of assistance does the vendor provide?  Does the vendor have a
telephone number, a fax, a BBS, internet or online services address that
you can access?  Is the telephone number 24 hours toll free?  Or limited
hours and toll.  Is there a charge for assistance or is it free?  If there
is a charge, do you have a certain amount of free assistance?  What about
local reps?  Is support handled through the head office which may be in
another country, or are there manufacturer's reps or a branch office in
your state (province, district) or country?

Another factor is currency (yes, money too, but more about that next), by
which I mean how current is the program?  Does it need to regularly updated?
Does an update file need to be added, or does the package have to be completely
reinstalled each time?  How are updates made available, and for how long?
Can they be downloaded or mailed or faxed to you?  Are they free or do you have
to pay for them?  Do you get a certain amount of free updates?  If so, how
is this handled?  If there is a cost for updates, how much is it?

Is the software purchased (or licensed) for life or for a certain amount of
time?  If for a limited time, then how long?  What happens when the license
period runs out?

And how much does it all cost?  And referrals.  Does the manufacturer have
satisfied customers whom you can ask about product?
 
Well, sorry for making such a long post, but I did want to address as many
issues as I could think of off the top of my head.  I hope this gives you
some factors to consider.
 
DISCLAIMER:  Yes, I am an employee of McAfee Associates, makers othe VIRUSCAN
and CLEAN-UP anti-viral programs.  However, I have tried to make this as 
objective as possible, without mention of anyone's products, goods, or
services.  

Aryeh Goretsky
-- 
McAfee Associates	 | Voice (408) 988-3832	| mcafee@netcom.com
4423 Cheeney Street	 | FAX   (408) 970-9727	| (Aryeh Goretsky)	
Santa Clara, California	 | BBS   (408) 988-4004	| 
95054-0253  USA		 | v.32  (408) 988-5190	| mrs@netcom.com
ViruScan/CleanUp/VShield | HST   (408) 988-5138 | (Morgan Schweers)

ericf@seer.UUCP (Eric Findley) (06/27/91)

In article <1964@contex.contex.com> avinash@felix.contex.com (Avinash Chopde) writes:
>I was looking around on the garbo.uwasa.fi site and found it had
>plenty of virus scanners/fixer programs.
>Do I need to get hold of all of them, or are there one or two
>which should suffice ?
>
>And, I'm interested in hearing about any of your own procedures that you
>follow to prevent virus infections and perform virus cleanups.
>-- 
>---------------------------
>Avinash Chopde            home :   508 470 1190     office : 617 224 5582
>avinash@contex.com       (if that fails, use: contex!avinash@uunet.uu.net)

My personal favorite is the virusSCAN series from McAFEE
and associates.

They're always on top of the latest virus infections out there.

Vshield is also another one of my reccommendations...
It is a TSR, and tests the program to be loaded BEFORE it is actually
executed.  Very handy, and a good insurance to boot!

Also, the CLEAN series from McAfee & associates...this program is always
on top with the latest virus infections also..I hear it is one of the best
SHAREware virus utilities out.  But, if you want to spend a lot of money,
go with the NORTON ANTI-VIRUS.  It's another excellent program.


Eric Findley
ericf@seer.mystic.com