home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Software Vault: The Gold Collection
/
Software Vault - The Gold Collection (American Databankers) (1993).ISO
/
cdr32
/
invrc501.zip
/
WHITEPA.PER
< prev
Wrap
Text File
|
1993-06-11
|
40KB
|
977 lines
Adaptive Expert System Anti-Virus Technology
A White Paper prepared by Troy C. Klein,
Product Manager for InVircible(r)
June 11, 1993
Copyright (c) 1992,1993 NetZ Computing, Ltd.,
S.C.C., and Tayzen Corporation.
- 1 -
Adaptive Expert System Anti-Virus Technology
The purpose of this paper is to introduce to the
reader the Adaptive Expert System (AES) anti-virus
concept. The AES concept incorporates the ability
to detect, locate, and remove unknown viruses.
This is an alternative to the ubiquitous Virus
Scanner and TSR technology (VS-TSR) which is
limited to processing virus signatures known at
the time of a product's release. The AES
technology is more efficient, is extremely
difficult to compromise, is non-intrusive, and is
actually user friendly. As a bonus, you avoid the
requirement of VS-TSR products that the user
perpetually pay for updates that are ineffective.
AES technology is much more sophisticated than VS-TSR
technology because AES technology emphasizes
protection against viruses without altering memory
usage, disk files, or customary usage patterns of
a computer. AES technology is able to accurately
and completely restore 99.99+% of all virus-infected
executables that AES is protecting, and detect most
of the rest!
Historical Background
---------------------
The introduction of AES by NetZ Computing Ltd. of
Israel (NetZ) in September 1990 introduced
heuristic capabilities to anti-virus technology.
The product that NetZ released in 1990 with
introductions in Israel and France was V-Care(tm),
featuring the VGUARD AES. The XSCAN AES enhanced
V-Care in December 1990. The introduction of V-Care
in the U.S.A. occurred in November 1991.
VGUARD(tm) is unsurpassed in the detection and
disinfection of virus attacks in the three known
virus classes: Boot Sector, FAT/Directory, and
Executables. XSCAN is unique in being able to
locate the primary infection executables, even if
one or more of the virus-introducing files are on
a remote network drive and even if the viruses
have never before been identified. The V-Care
product was renamed InVircible(r) in late 1992
for worldwide marketing and distribution purposes.
NetZ 's pioneering contribution to the anti-virus
effort was to transcend the VS-TSR technology that
relied on CRCs or checksums. The superior AES
technology instead uses header-based validation
signatures and sophisticated analyses of evidence
of virus activity. Header-based signatures are a
very reliable and effective technique for the
detection of viruses, and provide an efficient
mechanism for the complete restoration of infected
executable files with no need to identify the
specific infecting virus. NetZ's header-based
signatures file recovery methodology was presented
to the NCSA/AVPD conference held in Washington,
D.C., in November 1991.
After NetZ's introduction of AES technology in
September 1990, other anti-virus packages have
been unsuccessful in attempting to emulate various
aspects of NetZ's AES technology. NetZ still has
the only anti-virus core technology that continues
to be completely effective since its introduction.
Users who obtained V-Care in September 1990 are
still fully protected against the three known
virus classes 32 months later, a track record of
effectiveness no other distributed product is able
to match. The continued effectiveness of the
September 1990 V-Care covers virus categories not
yet identified when V-Care was introduced. These
categories include the polymorphic, mutating, and
encrypting viruses. Like the Energizer(tm) bunny,
NetZ's AES technology keeps working and working.
By the end of 1991, NetZ enhanced the techniques
that handle stealthy viruses to simplify recovery
from the 1963 and the DIR-2 viruses. The enhanced
technique known as Inverse-Piggybacking is
incorporated into the VGUARD AES. The Hyper-Correlator
enhanced technique for locating primary
infection executables is incorporated into the
XSCAN AES. Inverse-Piggybacking is described
later on in this paper.
- 2 -
To understand the practical benefits of the AES
anti-virus paradigm, we will first review the
characteristics of the earlier VS-TSR technology.
This review includes coverage of the innate risks
in continuing to use VS-TSR technology.
Evaluating and Comparing the Performance of Anti-Virus Software
---------------------------------------------------------------
Evaluating anti-virus products is not a simple
exercise. Software packages may usually be
examined by providing appropriate inputs and
determining whether the resulting activities,
results, and outputs are produced accurately and
efficiently. Evaluating anti-virus software is
somewhat problematic, since testing with an
inadequate product may let loose a virus with less
than benign intent. An inadequate product may not
only give false positives, but will give false
negatives if it is unable to detect all viruses.
False positives are possibly more troublesome than
false negatives, because mis-identification may
cause the anti-virus product to undertake
inappropriate remedial actions. For users without
a controlled environment for testing anti-virus
products, what criteria are the best for making a
decision on which anti-virus software to obtain?
Are all anti-virus products based on the same
technology? Does the "number" of viruses known to
an anti-virus product really matter? This paper
addresses these questions by comparing the AES
technology of InVircible and the VS-TSR technology
of other anti-virus packages.
There are two basic approaches to anti-virus
technology. The first approach is based on the
assumption that viruses may be identified by an
invariant sequence of bytes, or signature, before
transfer to a computer's memory, diskettes, or
hard disk (VS-TSR technology). VS-TSR is based on
the premise that viruses may be prevented from
transferring into a computer's memory by pre-identification.
The VS-TSR approach also presumes
that identification of viruses facilitates
surgical removal once a virus is known. The
second approach of AES technology is based on
the premise that virus activity, not identification,
is the mechanism by which any virus' presence may
be detected and removed. AES analyzes viruses by
class (Boot Sector, DIR/FAT, or Executable) with
the classification based on the characteristics of
the virus in the user's computer.
VS-TSR technology assumes that you may prevent an
infection by preventing entry of a virus. This
assumption is idealistic, because unknown viruses
may enter a computer by many avenues, specifically
any hardware with memory with which the computer
is built or exposed to. Viruses may have infected
executables on hard drives, floppy drives, tape
backups, and so on. Purchasers of software are
also never assured of virus-free diskettes, even
from recognized brand name software manufacturers.
With luck, a simple virus may be absolutely and
positively identified if the virus is known due to
its affecting someone else's computer first.
AES technology on the other hand acknowledges that
pre-identification of viruses will never be 100%,
meaning that 100% effective prevention of virus
infection is also unattainable! AES is structured
to accurately do a complete restoration of virus
infected systems and to locate the executables
harboring the original infection without ever
needing to know the identity of the virus. VS-TSR
systems may be able to detect many secondary
infected executables and some primary infected
executables. However, the VS-TSR systems are
unable to locate all infected executables with
secondary infections unless the primary infected
executables harbor only known viruses.
- 3 -
The VS-TSR products face the daunting prospects
of:
> identifying the increasing number of variants
(in both data and logic) of existing viruses,
> the appearance of stealthy viruses that falsify
information reported by DOS,
> the appearance of viruses that piggy-back on
programs that open and close many files (such as
anti-virus scanners),
> the appearance of viruses the mutate themselves
or create mutations in their progeny,
> the appearance of polymorphic viruses that are
able to select different scenarios that trigger
malevolent behavior and reproduction,
> the appearance of viruses able to encrypt their
infections,
> the appearance of viruses able to hijack TSRs,
> the appearance of viruses able to build actual
virus instructions using innocuous code
sequences, and
> the appearance of virus-writing software engines
(some with elaborate "user-friendly" GUI interfaces).
Accordingly, the VS-TSR approach of relying on
preemptive identification is increasingly
ineffective and even dangerous if removal is
attempted after mis-identification for a known
virus. Catastrophic damage is very likely to
occur if removal of any virus is based on a
removal technique for another virus.
How does AES technology rate in comparison with VS-TSR
technology? What are valid criteria for
evaluating the effectiveness of anti-virus
technology? Many rating schemes for VS-TSR
products are based solely on the ability to detect
the limited number of known viruses available to
the rating organization. The VS-TSR motivated
rating schemes are insufficient to validly measure
the power of AES technology that is not limited
simply to the detection of known viruses. To take
the measure of AES technology, a more
comprehensive and rigorous rating scheme is
essential. A tougher standard that AES technology
meets is the scientific principal that it is
better science to assume an assertion is invalid
if any exception exists.
Using that tougher scientific standard, the
assertion that AES technology is completely
effective measures up. Whether AES and VS-TSR
technology are compared on the basis of detection
of known viruses, on technical design, or on an
ability to handle unknown viruses -- the technical
superiority of AES technology remains evident.
While looking at the following examination of AES
and VS-TSR technology, note that the InVircible
implementation of AES technology has an empty list
of viruses that have been undetected, i.e.,
InVircible has yet to meet a virus it couldn't
handle. VS-TSR technology on the other hand has
focused on the easier task of increasing the
number of detectable and known viruses.
A brief study of VS-TSR versus AES technology was
undertaken in November 1992. A representative
VS-TSR product with considerable marketing exposure
was used for tests to validate concerns about
VS-TSR products. This product's accompanying
literature revealed that only about 10% of the
viruses it claims to identify are removable.
Since actual tests are more illustrative than any
claims, the representative VS-TSR product and
InVircible (as the representative of AES
technology) were tested for accuracy of virus
identification and virus removal.
- 4 -
Four viruses were used in the comparison of VS-TSR
and AES: Timor, Net Crasher, DIR-2, and MTE.
Timor, a variant of the classic Jerusalem
parasitic resident generic file infector virus,
was captured at a site in Portugal. Net Crasher,
a virus derived from the Vienna parasitic
non-resident ".COM" infector virus, was captured
days before the comparison tests at the
American-Israeli Paper Mills in November 1992.
DIR-2 is a common resident directory infector virus.
MTE is a parasitic non-resident ".COM" infector virus
with an embedded polymorphic encryption engine in
the virus.
The representative VS-TSR scanner first
mis-identified Timor as Jerusalem or virus 1241 (it
could not decide). If this scanner had attempted
to disinfect based on the assumption of Jerusalem
or 1241, the "restored" files would not have been
correctly restored. The VS-TSR scanner was then
shown Net Crasher, which it incorrectly identified
as Parasite. On the basis of the identification
of Parasite, the scanner asked for and received
permission to take the dramatic step of
overwriting and then erasing the infected
executables. Not only were the identifications of
Timor and Net Crasher incorrect, no restoration
was available. In comparison, the AES InVircible
detected that the executables were infected by
Timor and Net Crasher, and then received
permission to restore completely and accurately
the executables. InVircible even detected that
the executables recovered from Net Crasher have
three bytes of the file overwritten at random!
For the DIR-2 tests, the DIR-2 virus was
permitted to damage the directories of a DOS 5.0
formatted hard disk. Since DIR-2 "locks up" a PC,
rebooting was done from a floppy drive using a DOS
3.3x bootable diskette. After DIR-2 executions
under DOS 5.0 and DOS 3.3x, every executable file
in every directory on the hard disk was cross-linked
into a common cluster. The root directory
files became cross-linked as well. The VS-TSR
scanner incorrectly identified that every file was
infected with Tequila instead of DIR-2. The VS-TSR
scanner's attempt to remove Tequila instead of
DIR-2 caused such extensive damage to low-level
formatting that the hard disk had to be
reformatted with low-level formatting tools
typically available only to disk manufacturers.
The hard disk was low-level formatted and then
returned to the DIR-2 damaged state from which it
was then quickly restored and disinfected by the
InVircible Inverse-Piggybacking technique. The
restoration was exact and complete; no symptoms
then remained to indicate that a DIR-2 infection
had ever been present.
The fourth test was the MTE virus. This
polymorphic virus was mis-identified by the VS-TSR
scanner as Pogue or at other times identified as
Dame (an alias for MTE) depending on which
iteration of the MTE virus it was looking at. The
scanner's suggestion was to delete the files with
the infection, having no removal algorithm.
InVircible, when presented with the infected
files, quickly and accurately restored the
executables infected with MTE.
- 5 -
Experiences with other VS-TSR products are
similar. VS-TSR products are unable to identify
all known viruses accurately, they do not have
disinfection capabilities for all viruses that
they can identify, they often confuse distant
variants with the original virus, and they do not
have the ability to remove the infections that
they are willing to attempt with precision and
completeness. The numbers of viruses have
increased to a large enough population so that the
number of signatures is now a problem for VS-TSRs.
Users prefer not to give up more of the limited
640Kb of memory address space that DOS to
accommodate a bigger online virus signature
library. So, VS-TSRs are beginning to choose
between completeness, memory requirements, and
speed. This is resulting in the intentional
omission of some known virus signatures from
VS-TSR signature libraries. Some of the same
products that are now deliberately not including
virus signatures previously implied comprehensive
coverage via virus signature counts.
Previous attempts at comprehensive coverage of
virus signatures are being replaced by subjective
inclusion rules. This may not be reassuring to
someone attacked by a virus that is no longer in
the repertory of the VS-TSR product. In contrast,
InVircible's AES technology is uninvolved with
virus signature libraries. InVircible has a built-in
feature that enables it to capture the entire
virus (logic and data) as a by-product of doing
the normal 100% AES restoration of a virus
infected executable. This facility captures many
previously unidentified virus candidates for
inclusion in the VS-TSR signature libraries -- if
there is room for them in the online VS-TSR
signature libraries.
Using our self-imposed very tough scientific
standard for effectiveness, there has not been one
report that any virus has escaped detection by the
InVircible AES technology. In comparison, there
are many circumstances where VS-TSR technology has
proved to be inherently unreliable for the
detection of viruses. The correct restoration of
any infected executable is outside of VS-TSR
technological capabilities.
What are AES Anti-Virus Techniques?
-----------------------------------
The most fundamental characteristic of a
successful computer virus is its ability to
replicate and propagate into other programs or
computers. In many cases this is the only thing a
virus does. The replication and propagation
characteristics of viruses form the basis for
detection and analysis of virus activity by AES
technology. There are no other computer programs
that behave this way and any logic module
exhibiting this behavior is a priori a virus.
The dictionary defines "generic" as,
"characteristic of a genus or class, applied to a
large group or class, not specific". "Heuristic"
is dictionary defined as, "a method of education
or computer programming in which the pupil or
machine proceeds along empirical lines, using
rules of thumb, to find solutions or answers."
AES technology is both generic and heuristic.
Non-specific generic techniques have been applied
for many years in an area where getting it right
is of deadly crucial importance. These techniques
have been applied for more than 30 years in
electronic warfare where waiting for precise
identification of an opposing submarine or
aircraft can have unfortunate consequences. The
effectiveness of the ECM (Electronic Counter
Measures) techniques in the real world of military
confrontation lead to their inclusion in 1989 by
NetZ into the AES InVircible predecessor V-Care.
- 6 -
The incorporation of heuristic techniques by NetZ
advances the effectiveness of AES technology.
Heuristic techniques look at combinations of
expert rules, with the exact combinations used
determined by the environment that AES operates
in. It is unreliable to presume that any subset
of independently applied rules is sufficient to
decide whether an executable is virus-infected or
virus-free. AES looks beyond the obvious
one-dimensional indicators of virus infection and
activity with multi-dimensional analyses that
identify secondary, tertiary, and so on
indicators. A distinct handicap of VS-TSR for the
PC user is that the fixed analysis strategy of
VS-TSR products is predictable and may be
circumvented. AES technology is unlikely to ever
be circumvented (it is inappropriate to say never
circumvented). The generic and heuristic
anti-virus techniques of AES are based on the
innate properties of viruses themselves and take
advantage of these properties for the detection
and removal of viruses.
Virus Detection Strategies -- Active and Passive Sensing of Virus Behavior
--------------------------------------------------------------------------
AES technology uses both active and passive
techniques to detect viruses with generic and
heuristic methods. Active detection is done by
sensing viral behavior using detectable behaviors
and side-effects of the virus itself. Passive
detection is based primarily on differential
detection which is also known as integrity monitoring.
Active detection is based on the premise that
certain phenomena are attributable only to
viruses. InVircible AES technology uses three
primary phenomena that indicate the presence of a
virus: memory stealing, the change in size of an
executable file, and the occurrence of
piggybacking. Alterations to an executable file
are not sufficient to indicate the presence of a
virus, because a benign process may plausibly
alter executable files. For example, while having
an executable do self-modification is not an ideal
programming practice, self-modification is still
often used by software developers instead of using
a separate information (".INI") file. Each of
the three mentioned primary phenomenon is a
reliable indicator of potential non-benign
activity in the system. Many viruses disclose
their presence by exhibiting more than one of the
mentioned phenomena.
Boot or partition infectors often avoid being
overwritten in memory by an application by
subverting DOS memory reporting functions -- which
is called "memory stealing". Other classes of
virus infectors do the same, for example, the
Maltese Amoeba whose activities are detected by
inferring memory stealing activity.
An elementary anti-virus technique for detecting
file-infecting viruses is to create ".COM" or
".EXE" files that are designed to entice the
file-infecting virus to attack, thus changing the size
of the infected executable. Non-stealth viruses
may be revealed by this technique. Stealthy
viruses are able to conceal their attack on
fabricated executables and go undetected from the
"bait" executable strategy. Stealthy viruses
escape detection by subverting DOS's reporting
functions that indicate the size of executables,
and so on. InVircible makes use of the Stealthy
virus subversion of DOS reporting functions in a
technique developed by NetZ called Inverse-Piggybacking.
Inverse-Piggybacking forces the
virus to play the "Pied Piper" to InVircible,
showing InVircible which executables are infected.
- 7 -
Piggybacking viruses are some of the most
problematic of viruses for VS-TSRs. Many of the
more common and successful viruses are
piggybackers. Some of the more well known
piggyback viruses are Dark-Avenger (an alias is
Eddie), 4096, Irish, Haifa and 1963. New
piggybackers enjoy many months of freedom from VS-TSRs,
because they have an unknown virus signature
and they are spread by VS-TSRs as the VS-TSR
conveniently scans through all of a PC's files. A
new piggybacker virus enjoys several months of
anonymity after it emerges, allowing the
piggybacker virus to go undetected by VS-TSRs and
propagate extremely quickly, sometimes with
assistance from VS-TSRs. For example, the
worldwide distribution of 4096 was facilitated by
a VS-TSR.
There are two characteristics of scanners that
promote them as major target vehicles for
piggybacking viruses. First, virus scanners are
the quintessential programs that access every
single executable file on a disk. This paves the
way for smart viruses to infect every file using
the scanner as a convenient file opener and
closer. Historically, VS-TSRs have not been
piggyback-resistant to unknown piggybacking
viruses. AES techniques are able to detect and
remove piggybacking viruses because these viruses
fall into one of the three known classes of
viruses. Piggybacking resistance was proposed at
the November 1991 NCSA/AVPD conference as a
recommended safety requirement for AV scanning
products. Effective implementation of this
recommendation by VS-TSRs under all possible
conditions has proved elusive.
Header-Based Signatures for Integrity Monitoring and Recovery
-------------------------------------------------------------
By definition, files that are infected by viruses
are modified. By monitoring the integrity of
executable files, infections by unknown viruses
are detectable. Several approaches that are used
by some anti-virus products include two file
modification detectors: checksums and CRCs.
Neither of these two techniques is guaranteed to
be effective in detecting virus modifications.
Files are often modified by both benign procedures
and by viruses, so checksums (with a CRC defined
as a more complicated checksum) are unreliable as
a method of detecting malicious changes to a file
without numerous false alarms. The number of
benign exceptions is so large that checksum
integrity validation is not a reliable anti-virus
technique. As a benign example, any alteration of
the version table of the DOS 5.0 SETVER program
will change the SETVER.EXE file's checksum.
Similar examples of self-modifying executables are
provided by many word processors or compilers.
No combination of exotic and complex calculations
improves the effectiveness of checksums for
anti-virus usage. Checksum strategies yield too many
false-positives and they are easily compromised by
a virus writer who replicates the checksum
algorithm. Checksums at best may be of use to
assure that the file is not a replacement of an
older file bearing the same name, or that a malicious
virus has not overwritten part of the file.
- 8 -
Other anti-virus programs have used another
less-than-desirable technique of incorporating data
into the executable as an "immunizing shell". The
"jacket immunization" process involves the
addition (a virus-like activity!) of 700 to 1500
bytes to each executable file as a protective
shell. When a jacket immunized and infected file
is executed, the protective shell ideally discards
the implanted virus code and restores the file.
Jacket immunization has three major drawbacks:
> it is ineffective against stealthy viruses,
> there are programs that do not tolerate an
immunizing shell, with the DOS 5.0 SETVER.EXE
program especially disrupted, and
> last and least desirable, the requirement that
the infected file must be executed in order to
drop the virus.
There is a much faster, simpler, and more reliable
way to indicate that a file has been modified by a
virus using header-based integrity monitoring
signatures. The header of an executable file is
found in the first few bytes of an ".EXE" file or
".COM" file. All file infector viruses modify
this portion of the executable file, with the
exception of the Emmie virus. The header and a
few other parameters provide sufficient
information for AES technology to detect a virus
infection and then completely and accurately
restore infected executable files (with the
identity of the virus involved effectively irrelevant).
In contrast, the algorithmic removal of a virus
from a file by a scanner fundamentally depends on
the exact identification of the virus, the
extraction of the original header from the virus
code, the reconstruction of the header, and
finally the eradication or truncation of the virus
code from the file. In brief, it is the
application of a matched inverse algorithm to the
executable file. Each particular virus requires a
unique algorithm for the eradication of the virus.
The development of these unique eradication
algorithms is becoming increasingly impossible to
do in a timely manner. In contrast, AES
technology uses multiple techniques to assure that
strategic parts of an executable file are
unchanged rather than to have faith in customized
virus removal algorithms. The increasing number
of closely related viruses and the appearance of
polymorphic viruses makes assured recovery by
scanner an unlikely event.
Header-based restoration of executable files skips
the virus identification of VS-TSRs. Restoration
using header-based signatures is a superior
alternative to the jacket immunization technique
used in some AV products. Restoring an infected
file via a protective shell provides a convenient
platform for a virus to infect other files. With
the VS-TSR drawbacks and the availability of a
very robust and successful alternative with AES
technology, why use immunization? Of all the
products that practiced immunization in the past,
only one continues to use it.
Piggybacking and Inverse-Piggybacking
-------------------------------------
Full Stealth viruses were introduced with the
appearance of Frodo. Frodo (an alias for 4096) is
the first known virus that exhibited what is
called full stealth virus behavior that is
different from semi-stealth virus behavior. A
common property of full stealth viruses is that
when a full stealth virus infected file is copied
to another file with a non executable extension
name, the copy is clean of the full stealth virus.
- 9 -
Frodo instigated the development of the Inverse-
Piggybacking AES technique. Inverse-Piggybacking
does not copy the processed file to another
filename but rather swaps roles between the
application and the virus. The virus is in effect
piggybacked by the AES anti-virus program and it
is in fact the virus itself that guides the
disinfection of all files previously infected by
that same virus! Inverse-Piggybacking turns out
to be efficient against all known fully stealthy
file infectors such as Whale, 1963, DIR-2 and
others. Inverse-Piggybacking provides a quick,
efficient, and comprehensive method for dealing
with the otherwise problematic DIR-2 virus.
Inverse-Piggybacking is extremely effective and
efficient and is the only way to restore
virus-infected hard disks that would otherwise be
recoverable only by low-level reformatting due to
scrambling of the partition FAT table and likely
corruption of the bad-sector table.
Inverse-Piggybacking is also much safer than passive
removal of some viruses, 1963 for example.
A special and interesting case is the DIR-2 virus
mentioned earlier in this paper. In many cases,
passive virus scanners will not show a DIR-2
infection, but the DOS CHKDSK command will
indicate the appearance of cross-linking. CHKDSK
only indicates a problem; the user is left to
wonder what actually happened to the hard disk.
Damage caused by a specific full-stealthy virus
will usually be recovered fully by Inverse
Piggybacking when the same virus that caused the
damage is resident in the computer memory.
Restoration of computers that are already infected prior to
installation of an AES product like InVircible
-----------------------------------------------------------
First, InVircible does have an excellent virus
scanner that knows all of the most common and
widespread viruses that may be safely removed
without knowing the status of an executable before
an infection. The AES scanner does not need to be
updated frequently since it is a secondary tool,
and the number of common viruses is far fewer than
1700 or so known viruses.
Second, the InVircible virus code hyper-correlator
AES program XSCAN may be used to track down
infected files, even those infected by encrypted
viruses. The hyper-correlator is able to list and
remove all files infected by an unidentified virus.
AES Generic Heuristic versus VS-TSR Technology -- A Summary
-----------------------------------------------------------
Two factors are important in the comparison of AES technology
versus VS-TSR technology. First, viruses will
continue to be written in larger numbers, although
probably not at the apocalyptic rates predicted by
some prognosticators. Yet, this proliferation
increases the likelihood that computers will be
infected by viruses not previously identified by
some other unfortunate user. Preparing for the
virus problem requires that the tools used are
capable of dealing with unknown viruses that may
not even exist today.
- 10 -
Second, the most widespread and common viruses are
initially non-destructive since they need the
opportunity to spread. The fact that a virus
(or its progeny) has become widespread indicates that
it has not destroyed itself in the reproduction
process, and that it has not been caught and
removed. A destructive virus inherently betrays
its own presence and will lose its chances to
propagate. This rule -- The Survival Of The
Fittest of computer viruses -- has been repeatedly
proven with all common and widespread viruses
known today and is fundamental to understanding
the persistence of the computer virus problem.
Viruses can be dealt with in a safe and effective
manner even after a computer is infected.
Consider the rationale of the VS-TSR. The primary
role of the VS-TSR is to prevent the entrance of
viruses. Only known viruses may readily and
effectively excluded from a computer by a VS-TSR.
A virus known to a VS-TSR may sometimes be removed
by the cleaning option of the VS-TSR. Unknown
viruses are ignored or mis-identified as a known
virus. There is another major pitfall of VS-TSRs:
they may themselves be hijacked as a vehicle to
attack a PC's executables. The question is: Why
suffer the penalties of the VS-TSR, including loss
of memory space, frequent false alarms, a conduit
for viruses, and degraded computer performance,
when the same result is obtainable by other means?
The AES approach suggests that once in the
computer, any virus must one way or the other
become active and reveal the virus' presence even
if the virus is dormant for some period of time.
AES technology that is used regularly (at each
booting for example), allows complete removal of
viruses from AES protected executables. Since
viruses must be non-destructive for a while in
order to propagate, there is no reason to be
alarmed by the fact that the computer's defenses
have been "penetrated". There is no 100%
effective software technique that prevents the
introduction of a computer virus. On the other
hand, if the virus is destructive (which is highly
unlikely if the virus made all the way to your
computer!), then most probably it can not be
stopped by a TSR or any other software-based method.
PC users using initially low-cost VS-TSRs are
reluctant to switch to a more cost effective AES
implementation until they understand the perpetual
maintenance cost of VS-TSR "updates". For
nostalgic reasons, many PC users are especially
attached to their favorite, and usually out-of-date
virus scanner. This "Maginot Line" defense
philosophy is unfortunately applied to computer
viruses. VS-TSR users often state a variation of,
"It must be OK, because it (the anti-virus scanner
product) has not indicated any problems," so far!
AES virus removal is facilitated principally by
header-based restoration based on information
extracted from the executable. The AES method is
non-intrusive (it does not alter programs as
jacket immunization does) and is extremely
efficient and safe. AES technology will
increasingly show its advantages as the expanding
numbers of mutating, polymorphic, and encrypting
viruses develops. Even though the AES
technological approach is a better defense against
viruses; acceptance will preferably happen by
users before the potential economic costs of the
VS-TSR approach are unfortunately realized.
InVircible is the only commercially available
implementation of AES technology.
- 11 -
As a final note, anti-virus software will never be
a substitute for other defensive computing
practices. This involves keeping a complete set
of backups, providing electrical and communication
line protections, and becoming very aware of what
is normal for a specific computer. An AES product
such as InVircible will assist a well-prepared PC
user minimize resources needed by the user to keep
his PC from becoming fatally affected by virus infections.
About the InVircible Author
---------------------------
Zvi Netiv is an Electronics Engineer, who headed
R&D projects in the Israel Defense Forces and in
the Israel Aircraft Industries for 27 years. In
1989 Zvi started doing applied research in
computer virus techniques and accumulated several
copyrighted works in this domain. Zvi Netiv is a
columnist and lecturer in the Israeli professional
computer community and internationally. In 1991
he established his own company, NetZ Computing
Ltd. NetZ's products have been distributed
worldwide under the names V-Care and V-Guard, with
V-Care and V-Guard combined and renamed as
InVircible(r) in 1992.
About InVircible Availability
-----------------------------
The North American and Pacific Rim distributor of
InVircible(r) is S.C.C. is located at 18721 Mooney
Drive in Gaithersburg, Maryland 20879, U.S.A.
The telephone number is 1(301)590-0001. The
telefax number is 1(301)590-0003. InVircible may
be obtained in single unit or multiple unit
quantities. Agency or corporate site licenses are
available. InVircible is offered in the English,
Hebrew, and French languages (manuals and user
interfaces). Operating systems supported are DOS
3.x through 6.x releases from Microsoft, IBM, and
Digital Research; and OS/2 1.x, and OS/2 2.x.
Availability for Windows NT and Novell's DOS 7.0
is pending.
- 12 -
Glossary
--------
Boot Sector -- The disk sector of a bootable
hard disk partition that the hardware of a PC
locates and executes automatically upon power-up
or reboot.
CRC -- Cyclical Redundancy Check.
DOS -- Disk Operating System.
GUI -- Graphical User Interface. For example,
Microsoft's Windows 3.1.
Maginot Line -- Built after World War I by
France along the French--German border as a
series of fortifications that no land army could
go through (but could go around and over).
PC -- Personal Computer. For this paper, the
IBM AT architecture is implied.
R&D -- Research and Development.
TSR -- Terminate-and-Stay-Resident. A DOS
capability allowing a logic module to hook into
the operating system's interrupt table. After
the module is hooked into the interrupt table
and returns control to DOS, DOS may resume
execution of another program such as an
anti-virus program.
Trademarks
----------
(R)IBM and OS/2 are registered trademarks of
International Business Machines Corporation.
(TM) AT is a trademark of International Business
Machines Corporation.
(R)Microsoft and Windows NT are registered
trademarks of Microsoft Corporation.
(TM)V-Guard and V-Care are trademarks of NetZ
Computing, Ltd. and Sela Computer Consultants.
(R)InVircible is a registered trademark of NetZ
Computing, Ltd. and Sela Computer Consultants.
Copyright Notice
----------------
This paper is copyrighted (c) 1992,1993 by the Author
for Tayzen Corporation, and by NetZ Computing,
Ltd., and by Sela Consultants Corporation
(S.C.C.). All Rights Reserved. Printed in the
United States of America, June 11, 1993.