To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #76 -------- VIRUS-L Digest Monday, 10 May 1993 Volume 6 : Issue 76 Today's Topics: Anti-virus planning Help Student Computer Virus Project? Re: need help removing flip virus (PC) Re: Port Writes (PC) Re: Copyright of Virus Signatures (PC) Re: Anti-virus planning (PC) Re: Anti-virus planning (PC) Re: DOS 6.0 and Scan (McAfee) Interaction (PC) NetShield (NLM) bugs? (PC) XPEH4 Virus Information wanted (PC) McAfee NETSCAN question (PC) Re: info about new virus (PC) Re: NAV Updates (was Central Point Anti-Virus Updates) (PC) Can a virus infect NOVELL? (PC) COMMAND.COM Vaccination (PC) ARCV Viruses (PC) Re: Port Writes (PC) TBAV anti-virus software (complete pkg v6.00) (PC) Anyone have something like this? (PC) Anyone have something like this? (PC) Port Writes (PC) Can a virus infect NOVELL? (PC) integrity master 1.43 (PC) Types of Antivirals (CVP) Evaluation Standard - Numbers again (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Mon, 10 May 93 02:45:29 +0000 From: rob.borek@rose.com (rob borek) Subject: Anti-virus planning V > a) Let's have one workstation assigned only for virus detection and V > cleaning. As users come into our site, they would be led to this V > workstation to have their diskettes checked for virus. V > V > b) Each time a new user uses a workstation, as soon as he logs into V > the server (automatically), we would check the workstation for V > virus. If it is infected, we would clean or "rebuild" it from the V > server, in order not to have an user diskette infecting another V > user's one. V > V > What do you think of this? You could do both... for b), just insert the virus scanner in the startup files for the workstation. V > V > We thought of using a TSR virus scanner, but I'm a bit worried of having V > it together with the LAN communications TSRs. V > V > Do you think that (or know if) it works? Would you consider another V > options? V > I have never heard of any problems or conflicts with using a TSR virus detenction program... McAffee's Virus Shield supposedly works quite well, and loads into upper memory. I've never heard of any problems with using it on a LAN. Rob Borek Internet: rob.borek@integral.on.ca * Tagline Bad or Missing NO CARRIER - --- RoseReader 2.10 P004797 Entered at [POWERNET] RoseMail 2.10 : PowerNET/Sarnia, ONT. (519) 336-5863 ------------------------------ Date: Sun, 09 May 93 05:17:34 -0400 From: tomw@ccadfa.cc.adfa.oz.au (Tom Worthington) Subject: Help Student Computer Virus Project? The ACS receives many letters from students asking for information to help with computer projects. I thought you might like to help, so here is one frequently asked question to start off with: "I am currently attending TAFE studying my accounting degree. One of the subjects I study is computer applications. I have to complete an assignment on computer viruses and their social implications. If you have any information on the following I would greatly appreciate it if you could send it to me as soon as possible: * How viruses originated * How viruses effect businesses and people * How viruses are combated * Examples of viruses and their cures * The cost of viruses" Please send e-mail replies to me (tomw@adfa.oz.au) or paper replies to: "Virus Question" c/o: Peter Horwood ACS National Office Suite 1, 200 Riley Street Darlinghurst NSW 2010 fax: 02 2811208 Posted by Tom Worthington, Director of the Community Affairs Board, Australian Computer Society Inc. ------------------------------ Date: Sun, 09 May 93 20:30:02 -0400 From: stevet@news.fai.com (Steve Tamanaha) Subject: Re: need help removing flip virus (PC) Either use an entivirus progra , or: NDD c: /rebuild. A more riskier way would be to do FDISK C: /MBR To backup the fat, use norton Image or Msdos 5,or Pctool's Mirror: image c: mirror c: ------------------------------ Date: Sun, 09 May 93 20:53:29 -0400 From: trimm@netcom.com (Trimm Industries) Subject: Re: Port Writes (PC) > > Yes. Most modern hard disk controllers issue a hardware interrupt to > >STOP. Do you really think that THIS is a barrier? I mean, if someone already >takes the trouble to learn and implement Port-Write disk access, what is it >for him to add a Vector Change before and after? Besides, I haven't checked it >yet, but I think it might be possible to tell the IDE NOT to generate this >interrupt. You could simply use the interrupt controller to mask the IRQ of the disk drive. But yes, the disk can be operated in purely a polling mode. The unit atn interrupts are an option. I think a lot of people don't understand how disk controllers in the PC environment work at a port level. The original interface was the WD1003, which is what virtually all MFM, RLL, ESDI and IDE (ATA) disk drives respond to. There are two 8 bit regs you load up with the cylinder, one for the head, one for the sector, and one for the count. Then by writing an opcode into the control register, the operation begins. I've posted at length on this issue on Fido Virus_Info, should I cross- post it here? Gary M. Watson Electronic Engineer trimm@netcom.com ------------------------------ Date: Mon, 10 May 93 02:22:53 -0400 From: alan@saturn.cs.swin.OZ.AU (Alan Christiansen) Subject: Re: Copyright of Virus Signatures (PC) dudleyh@redgum.ucnv.edu.au (Dudley Horque) writes: >CS193560223@lusta.latrobe.edu.au (ENRIQUEZ,L) writes: >> When a virus is found, it does not usually contain a copyright, because >>as far as I can tell, to claim copyright your real name must appear with it. >>Obviously, most virus writers dont want to do this. However, if sometime did >>extract a piece of code (signature) from the virus, and included it in their >>virus scanner, and recieved a fanancial advantage from this inclusion, and th e >>author came forth to claim copyright, would such a case be legal? >Well... the inclusion of the copyright owner's name (and the year of >copyright) is only necessary in the U.S. of A. (where they're backward >enough not to have fully adopted the internationally recognised >copyright laws devised at the Bourne convention). >Secondly, if the virus author could prove that (s)he wrote the virus, >AND the virus scanner contained a substantial piece of the author's >creative effort, then the author WOULD (not could) claim copyright if >(s)he so wished. (S)he could then attempt to sue the trousers off the >parties who infringed their copyright. In the process, however, I would >hope that the author also had their lower garments sued off them for the >grief that the virus caused, AND had the potential to cause. Just to be difficult. I dont believe it is illegal to write a virus. Just to spread it around deliberately. Now If I had written a virus for experimental (mental) purposes and had it on some disks on my desk. Then if someone stole my disks and and computer (a housebreaking.) Then could I claim copyright on any signitures that scanners used to recognise my inadvertantly released virus. ;-} I actually think I couldnt. Sue for copyright. Because any signature used by the virus writers. did not utilise my execute ^^^^^^^ code sequence and the algorithm it represents. The sequence is short and hence not subject to copyright in the same way that a previous post suggested that you cant copyright "A Sheep" ------------------------------ Date: Mon, 10 May 93 06:44:17 -0400 From: duck@nuustak.csir.co.za Subject: Re: Anti-virus planning (PC) Thus spake villas@ax.apc.org: > a) Let's have one workstation assigned only for virus detection and > cleaning. As users come into our site, they would be led to this > workstation to have their diskettes checked for virus. Nothing wrong with this. If you can get a Flash-RAM board set up to be bootable, and install your a-v software there too, then you need not worry about anybody subverting a clean boot [unless they open up the PC], nor need you worry about your a-v modules getting infected. That would be ideal: a PC that basically boots from firmware and does nothing but offer to scan discs. Paint it red and put it next to the coffee machine. Your delegates are then unlikely to miss it.. > b) Each time a new user uses a workstation, as soon as he logs into > the server (automatically), we would check the workstation for > virus. If it is infected, we would clean or "rebuild" it from the > server, in order not to have an user diskette infecting another > user's one. The problem here is that you'd be breaking a basic rule of virus clean-up: Boot From a Clean DOS Floppy. Whilst some (indeed many) viruses can be cleaned up without a clean boot, others may delude you into believing they're gone when they're not. IMO, whilst you might want to handle the reporting of infected workstations automatically, you should arrange for your tech support gurus (aka Emergency Response Team) to handle clean-ups manually. > We thought of using a TSR virus scanner, but I'm a bit worried of having > it together with the LAN communications TSRs. A TSR virus scanner would be great. "On demand" scanners can help tremendously. For instance, if delegates stick in floppies and try to run infected programs, they won't just be alterted to the virus -- the virus will be prevented from actuating. LAN coexistence won't be a problem. I also suggest that if the PCs you're using as workstations permit their boot sequence to be altered to inhibit floppy boot-up that you utilise this "feature" to help suppress boot sector viruses. This won't stop someone who wants to infect a PC from doing so maliciously, but it will help stop accidents. Lastly, I'd suggest that you don't use any "active monitor" a-v software. Active monitors are resident utilities (also known as "behaviour blockers") which watch for apparently virus-like behavious and attempt to prevent it. I think you'll find that the false alarms will probably waste your tech support people's time -- and possibly focus attention on viruses, to the exclusion of other PC issues. Paul /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \ Paul Ducklin duck@nuustak.csir.co.za / / CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ------------------------------ Date: Mon, 10 May 93 06:45:22 -0400 From: duck@nuustak.csir.co.za Subject: Re: Anti-virus planning (PC) Thus spake villas@ax.apc.org: > a) Let's have one workstation assigned only for virus detection and > cleaning. As users come into our site, they would be led to this > workstation to have their diskettes checked for virus. Nothing wrong with this. If you can get a Flash-RAM board set up to be bootable, and install your a-v software there too, then you need not worry about anybody subverting a clean boot [unless they open up the PC], nor need you worry about your a-v modules getting infected. That would be ideal: a PC that basically boots from firmware and does nothing but offer to scan discs. Paint it red and put it next to the coffee machine. Your delegates are then unlikely to miss it.. > b) Each time a new user uses a workstation, as soon as he logs into > the server (automatically), we would check the workstation for > virus. If it is infected, we would clean or "rebuild" it from the > server, in order not to have an user diskette infecting another > user's one. The problem here is that you'd be breaking a basic rule of virus clean-up: Boot From a Clean DOS Floppy. Whilst some (indeed many) viruses can be cleaned up without a clean boot, others may delude you into believing they're gone when they're not. IMO, whilst you might want to handle the reporting of infected workstations automatically, you should arrange for your tech support gurus (aka Emergency Response Team) to handle clean-ups manually. > We thought of using a TSR virus scanner, but I'm a bit worried of having > it together with the LAN communications TSRs. A TSR virus scanner would be great. "On demand" scanners can help tremendously. For instance, if delegates stick in floppies and try to run infected programs, they won't just be alterted to the virus -- the virus will be prevented from actuating. LAN coexistence won't be a problem. I also suggest that if the PCs you're using as workstations permit their boot sequence to be altered to inhibit floppy boot-up that you utilise this "feature" to help suppress boot sector viruses. This won't stop someone who wants to infect a PC from doing so maliciously, but it will help stop accidents. Lastly, I'd suggest that you don't use any "active monitor" a-v software. Active monitors are resident utilities (also known as "behaviour blockers") which watch for apparently virus-like behavious and attempt to prevent it. I think you'll find that the false alarms will probably waste your tech support people's time -- and possibly focus attention on viruses, to the exclusion of other PC issues. Paul /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ \ Paul Ducklin duck@nuustak.csir.co.za / / CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \ \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ------------------------------ Date: Sun, 25 Apr 93 22:03:22 -0500 From: Josh Panar Subject: Re: DOS 6.0 and Scan (McAfee) Interaction (PC) Donald Gingrich reports: >I am on a dial up help list for viruses among other things. A user group >member rang with the following report. > >1. he booted the machine with the MS DOS 6.0 VSAFE in the autoexec (config?) > (I haven't seen DOS 6.0 yet) >2. he ran McAfee scan with the /chkhi option twice (don't ask why) >3. on the second pass it reported the "filler" virus >4. he has scanned the hard disk with the /chkhi /a options after a cold boot > on a known clean floppy -- nothing found > >seems like a false positive to me. I had this happen with scanv102 and v99. The first time scan was run after a cold boot, no viruses were reported. Thereafter, running scan results in a Filler report in memory. I also spotted Iboot a couple of times (also as a memory virus). A complete scan of my hard drive (6188 files) with /A reported no viruses. This was causing considerable consternation until I checked the Internet and found these reports. I hope the assumptions of false positives are correct. Tnx, J. Panar (416) 959-5079 School of Computer Science, Ryerson Polytechnical Institute Toronto, Ontario, Canada M5B-2K3 ------------------------------ Date: Mon, 10 May 93 13:01:25 +0000 From: wdf2@ns1.cc.lehigh.edu (WILLIAM D FINLEY) Subject: NetShield (NLM) bugs? (PC) Has anyone else installed the latest version of McAfee NetShield (104---150) on their Novell File Servers and noticed a problem with the "On-Access" scanning options. I configured it with "in-coming only" on-access scanning, yet the display indicated all files were being scanned (out-going as well). Has anyone else noticed this??? Is it a bug with the NLM??? It also appear to eat up much more utilization than the previous versions of NetShield. Any feedback would be welcome! - -- /s/ W. D. Finley Dept. of Mathematics wdf2@Lehigh.EDU ------------------------------ Date: Fri, 07 May 93 11:27:03 -0400 From: Garry J Scobie Ext 3360 Subject: XPEH4 Virus Information wanted (PC) Hi there, A PC virus has been discovered within the University which Solomons Findviru v6.12 with drivers dated 23/2/93 identifies as XPEH4.4752. The Eicar ID is F77616D4. There appears to be very little information on this virus and I do not recall any discussion on this board. All information gratefully received. Thanks in advance Garry Scobie LAN Support Officer Edinburgh University Computing Services Scotland e-mail: g.j.scobie@ed.ac.uk ------------------------------ Date: Fri, 07 May 93 17:40:13 +0000 From: "Craig.Williamson" Subject: McAfee NETSCAN question (PC) I am having a problem getting McAfee netscan to scan a complete network disk. I am using V102 of scan and Wollongong NFS to access the net drive. The disks I need to scan are 1.2GB and 660MB and it just stops at random places every time I try. Does netscan handle drives this large? Is my nfs causing the problem? Is there another way I can scan these drives? Any help would be appreciated since we just found Scream2 [696] and I would like to make sure it's not on the net drives. Thanks, Craig - -- "Would you like to surrender now, - -Craig Williamson Captain?" Craig.Williamson@ColumbiaSC.NCR.COM -William Riker, STTNG craig@toontown.ColumbiaSC.NCR.COM (home) ------------------------------ Date: Sat, 08 May 93 11:23:04 -0400 From: al026@YFN.YSU.EDU (Joe Norton) Subject: Re: info about new virus (PC) I have played with a copy of EXEBUG-][, and while it will jump off of the floppy onto my hard drive, I can't get it to infect another floppy. Is it just buggy, not even a virus, or what? I recieved it as a TD0 file that when restored is a 360k disk with a german? copy of DOS system files on it.. - -- ------------------------------ Date: Sun, 09 May 93 17:08:13 -0400 From: yh1@Isis.MsState.Edu (Yi Hong) Subject: Re: NAV Updates (was Central Point Anti-Virus Updates) (PC) I wonder what is the best anti-virus scanner/remover/shield package. I have f-prot and mcafee's scan/vshield/clean, but I wonder which is better or newer or have more virus database. One of my friend also have NAV, and I don't know much about it. CAn you guys tell me about the best or some of the best anti-virus software avaliable by 1. shareware 2. commercial software,etc. ------------------------------ Date: Fri, 23 Apr 93 16:24:09 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Can a virus infect NOVELL? (PC) Hi Kam! > "set executable files read only = on" > Yes, I know the set command is wrong, but what it does is makes > *every* executable file read only and will not allow *any* file to be > writen too, so the only way to upgrade a file is to first delete it and > then copy a new one! That's why this protection is not very effective. Image a virus implementing the following pseudo-code idea: copy to-infect.com temp.moc infect temp.moc del to-infect.com copy temp.moc to-infect.com del temp.moc and your 'protected' executable is straight infected. Such a virus is not likely to be very effective, the only thing I want to show is that some on-the- first-look-bullet-proof methods can be circumvented. You also could 'use' companion-type infectors, or... :-| cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Fri, 23 Apr 93 16:05:08 +0100 From: Malte.Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: COMMAND.COM Vaccination (PC) Hi Jani! > Executables that have been compressed with PKLITE are basically > immune to infection by viruses that infect executables, including > COMMAND.COM in this case. Uh... a very dangerous statement. In fact it's wrong. See why: > The PKLITE file can still be infected externally > (as reported by McAfee's SCAN), but the actual executable cannot be > infected in this form. The problem is, most viruses don't care if they infect COMMAND.COM internally or externally. They will go resident anyway after the next boot. BTW, if you define "infecting" by "virally change the runtime behaviour of an executable", the executable is infected too, just at another level. For example, you can infect an executable directly by attaching code to or putting into it, and indirectly via exploiting OS capabilities (e.g. companion attack) or its directory file handle (filesystem infection, e.g. DIR-II alias MG Series II alias Creeping Death). Viruses using these infection techniques don' t care about compressing. cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Tue, 27 Apr 93 12:22:19 -0700 From: aryeh@mcafee.com (McAfee Associates) Subject: ARCV Viruses (PC) Hello All, I've recently received two comments about my posting in comp.virus about the ARCV viruses and would like to clear a couple of points up: 1. The viruses were *ALLEDGEDLY* written by ARCV. There has been no legal determination that ARCV wrote any of the viruses listed. 2. All viruses were for MS-DOS (no Mac, Unix, etcetera). Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE ------------------------------ Date: 28 Apr 93 00:13:44 -0000 From: phys169@cantva.canterbury.ac.nz Subject: Re: Port Writes (PC) Yes, it is difficult to stop viruses that use direct port writes. There are things an a-v program can do to spot direct-writes from an unintelligent virus writer, but you can't count on them. Something like OS/2 can spot them, unless the virus gets control first. Hardware alarms would probably be the safest and cheapest long-term solution. Of course viruses with direct writes have to be that much bigger, but that isn't enough to make them obvious now, except in the case of one designed to take control at boot time yet let OS/2 run. The fact that code contains port I-O instructions is the best clue, but it would take the next generation of a-v software to spot it (unless the virus writer didn't bother to encrypt it). I could say more, but there might be a virus writer watching! :-) Mark Aitchison. ------------------------------ Date: Wed, 21 Apr 93 08:07:00 +0200 From: Piet_De_Bondt@f0.n462.z9.virnet.bad.se (Piet De Bondt) Subject: TBAV anti-virus software (complete pkg v6.00) (PC) From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: TBAV600.ZIP TBAV anti-virus software (complete pkg v6.00) Thunderbyte Anti-Virus (TBAV) is a toolkit designed to protect against, and recover from computer viruses. It is claimed to be the most complete anti-virus system available. Included are TbScan, TbScanX, TbSetup, TbClean, TbDisk, TbFile, TbMem, TbCheck, and TbUtil. This file has replaced TBAV504.ZIP. Greetings, Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl - - - - FTP-Admin for the MSDOS Anti-virus software, @dutiws.twi.tudelft.nl - --- OD 0.0.1 * Origin: C.C.C. (9:462/121.0@VirNet) ====> OverDose Gateway Notice <==== Message is actually from bondt@dutiws.TWI.TUDelft.NL Reply to 9:462/121.0 Internet Gateway with first line of message body beeing: TO: bondt@dutiws.TWI.TUDelft.NL ------------------------------ Date: Tue, 27 Apr 93 11:05:09 +0200 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Anyone have something like this? (PC) Hi Hans! > Is it possible that you can get bad sectors because of a virus ? Logically yes (e.g. old DISK-KILLER marks three blocks as bad in the FAT), physically NO. cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Fri, 23 Apr 93 23:46:32 +0200 From: Hans_Govaarts@f10.n317.z9.virnet.bad.se (Hans Govaarts) Subject: Anyone have something like this? (PC) > From: sali@undergrad.math.uwaterloo.ca (Sayf Ali) Hello Sayf, > Here's the problem: > I just installed DOS V6 on my pc. Now the problem I'm having is > that parts of the disk I have written to are becoming bad > sectors > Has anyone had similar problems? Remedy? It happens more often that a HD gets more bad sectors in it's life, and that doesn't say that your problem is because of a virus infection. Your problem sounds similar to the problem I had with a Kalok HD. There was no virus on it, but after I while I had to format the HD, because of the growth of bad-sectors. After the low-level format I still had the same problems. Is it possible that you can get bad sectors because of a virus ? > Please Help! Greetings Hans. - --- FMail 0.94 * Origin: Orion BBS - Emmen 05910-34151 - 24 uur per dag. (9:317/10) ------------------------------ Date: Sun, 25 Apr 93 11:50:00 +0200 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Port Writes (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: VB: > By a natural way to write to the disk I mean - using the DOS file > system. After all, all DOS manuals are telling you that this is the > way to write to the disk. The question was realy supposed to be "what happeneds at the end when the disk is accessed?" how does the BIOS int-13 access the disk (how does the machine do it in hardware ?). So if you are doing a "natural" int-21 file access request, mabe it starts a long process envolving the board's port- addressing chip? (SCSI is an exeptional here). VB: > The only programs that usually go that low are the programs > from the Norton Utilities and the similar packages - disk organizers, > directory sorters, disk editors. Oh, yes, and CHKDSK uses INT > 26h too - when it needs to fix the FAT(s). And Windows, and some Disk-Doublers, and Disk-Manager, and some programs that swap with the disk, and Anti-Viruses, and ... Well isn't that enogh? What does your common user uses, only a word processor? ;-) VB: > Regarding the DMA, the abbreviation stands for Direct > Memory Access and, as the name suggests, is used to access the > memory in a fast way (bypassing the CPU) - not the disk. The DMA's definition is: Access any combination of I/O and memory !!! So not so surprizingly *ALSO* the disk. Although I agree the disk is (on "normal" operation conditions) an exeptional device and the DMA is usually not assigned to treat it. VB: > Oh yes - why I am not using the product any more. > Well, the Dark Avenger wrote the Number of the Beast viruses, and the > Phoenix viruses, and the two guys from Varna wrote the MG > viruses. All those viruses don't try to bypass INT 13h - instead they > intercept it at two levels and fake a read when they want to do a write - > so our nice protection program sees a read request, tells the > "device ready" watching program "it's OK, buddy, let it pass", but > here comes the virus again and turns the request back to write... A. Just my point. This method is not usefull against many viruses. B. The viruses you've mentioned and the method of replacing Read with Write are not new, there are other old viruses that do that. VB: > If you are an anti-virus researcher worth your salt, you should be > able to understand what I am talking about by looking at the viruses I > mentioned... Thanks for the appreciation. AN: >> Usually the Hardware Anti-Virus products are installed ON the system-bus VB: > Some are, some are not. If you know Central-Point's Option Board (do you?) you'l know what I mean. It is connected in another slot and chains to the flat cable going from the disk ( floppy) controller to the drive. In many cases the floppy will have lots of write problems, Try it on several computers you will see. My opinion is that the viral protection system should be: With minimal overhead, Minimal interference with system operation, Minimal reductionin computer performance, Minimal memory consumption, Minimal changes to the files and system and a lot more... In other words: The computer is a user's working tool, not an Anti-Virus machine. And what you are suggesting has gone far beyond that, it may be good for a virus researcher. AN: >> (in one of the slots), if one does as you suggest (between disk and bus) >> I'd expect "some" 8-) problems (to say the least). VB: > You'd expect? Then you'd expect wrong - as I said, ExVira is installed > exactly in this way. [ excellent installation manual deleted ... ] I say it out of experiance with lots of commercial products that do that, Some users had to reinstall the disk due to Hardware Anti-Virus products. Warmly * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Sat, 17 Apr 93 06:20:00 +0200 From: Xianyow@f0.n462.z9.virnet.bad.se Subject: Can a virus infect NOVELL? (PC) I have a question, can a virus infect NOVELL system? Since there are many read-only files in NOVELL, how can it write into that file? If it can't , how can it live when the power turned off? But I really heard some viruses can infect NOVELL. Can anyone answer me? Thanks in advance! Victor - --- OD 0.0.1 * Origin: C.C.C. (9:462/121.0@VirNet) ====> OverDose Gateway Notice <==== Message is actually from sywu@csie.nctu.edu.tw Reply to 9:462/121.0 Internet Gateway with first line of message body beeing: TO: sywu@csie.nctu.edu.tw ------------------------------ Date: Mon, 10 May 93 07:24:19 -0400 From: HAYES@urvax.urich.edu Subject: integrity master 1.43 (PC) Now available for FTP: Integrity Master 1.43 as I-M143.ZIP. Enjoy, Claude. ========== Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: 07 May 93 15:22:00 -0600 From: "Rob Slade" Subject: Types of Antivirals (CVP) PRTAVS7.CVP 930425 Types of Antivirals The foregoing is not to say that a standard for the judging of antiviral software cannot be achieved. It is, however, an extremely difficult task and one which we may not be able to complete at this time. One of the consistent barriers to judging software is that antiviral software comes in many types. I would now like to elucidate *my* list of what those types are. (I am fully aware that there is going to be debate about the number of types of antiviral software. The numbers are not all that important. As we proceed in more depth through the various categories of antiviral systems, you will note that almost endless permutations can be made by a combination of the various features. Hopefully the following will simply allow you to build your own categories and to judge the software that might be best for your situation.) The first commercial antiviral systems to appear, interestingly enough, relied upon encryption. This was likely a hold-over from the fact that most "serious" security types come from a mainframe or communications environment. Encryption is, of course, a good way to ensure that people cannot gain unauthorized access to your information. While it does have some potential for protection of existing software, few systems primarily targeted at viral infections now use encryption at all. Those early encryption systems were often paired with operation restricting software. Restrictive software has continued to be a reasonably popular means of defence, probably because it *does* defend systems and prevent the infection of programs and disks. Closely related to operation restricting software is activity monitoring software. This software, as the name implies, oversees the operation of the computer and alerts the user when suspicious activity takes place. I differentiate it from operation restricting software because control is left in the hands of the user. (Interestingly, a number of these programs are named "Vaccines", even though their method of operation has nothing in common with a biological vaccine.) Change detection software, also known as integrity checking software, determines whether the program, file, or system has changed, as compared against a previously established data base. If a sufficiently broad overview of the system is taken, this will provide 100% effective detection of a viral infection, but it also may raise a number of false alarms. Scanners, particularly signature scanners, are currently the most popular of antiviral software. This is likely due to three factors, the fact that viral programs are specifically identified, the inclusion of disinfecting software with most scanners, and the fact that it's easy to play numbers games with signature scanning programs. copyright Robert M. Slade, 1993 PRTAVS7.CVP 930425 ============== ______________________ Vancouver ROBERTS@decus.ca | | /\ | | swiped Institute for Robert_Slade@sfu.ca | | __ | | __ | | from Research into rslade@cue.bc.ca | | \ \ / / | | Mike User p1@CyberStore.ca | | /________\ | | Church Security Canada V7K 2G6 |____|_____][_____|____| @sfu.ca ------------------------------ Date: 25 Apr 93 23:17:00 -0600 From: "Rob Slade" Subject: Evaluation Standard - Numbers again (CVP) PRTAVS5.CVP 930425 Evaluation Standards - Numbers again We have tried to show some of the difficulties in choosing antiviral software. There are, of course, matters of the type, the test suite against which the computer is effective, the user interface and the "style" of the program or system. Still, surely there must be *some* standard by which to measure antiviral software? In the computer world, the nice thing about standards is that there are so many to choose from. However you divide the different types of software, it is extremely difficult to apply the same standards to various categories. Besides the problems of the "numbers game", in testing a given program against a given suite of viral programs, the importance of the test results are of different importance to a scanner, a change detector, and an operation restrictor. For operation restricting software, it may be of no importance whatsoever that the program does not "catch" infections; so long as the restricting software is 100% effective in preventing the spread of infection, it does not matter whether it ever "identifies" any viri. Change detection software may "catch" all infections, and yet be less effective than a scanner which catches only 90%, but effectively identifies them as well. (Unfortunately, one must also factor in the fact that change detectors will generate a *lot* of "false positives", particularly as software vendors continue to insist on writing programs which modify themselves.) Therefore, a single "numeric" standard, based upon the use of a test suite, would be of little utility in assessing the overall effectiveness of antiviral software. In addition, the environment is constantly changing. Not simply the corporate or user environment, but the number, specific strains and types of viral programs are increasing all the time. One of the newer types of viral programs, as of this writing, is the companion, spawning or "precedence" virus, which, in order to prevent the detection of a changed program, does not change the files on disk at all, but rather takes advantage of the order in which programs are "called for". Thus those operation restricting programs which prevent changes to program files become useless, as do change detectors which peruse only those files in the database at the previous "run". Standards, therefore, which are based upon the currently existing viral environment, will be very quickly outdated, and mostly useless. A single, or even multiple, numeric measure simply does not have sufficient flexibility to gauge antiviral software. It may be possible to construct one, after considerable work. However, even if a criterion reference could be made broad enough to cover the various types of antiviral software, the gauge would have to be a moving one. Thus, antiviral software tested at one point, would have to be retested each time the standard was renewed: at a minimum, that would likely be on a yearly basis. copyright Robert M. Slade, 1993 PRTAVS5.CVP 930425 ============== Vancouver p1@arkham.wimsey.bc.ca | You realize, of Institute for Robert_Slade@sfu.ca | course, that these Research into rslade@cue.bc.ca | new facts do not User p1@CyberStore.ca | coincide with my Security Canada V7K 2G6 | preconceived ideas ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 76] *****************************************