home *** CD-ROM | disk | FTP | other *** search
- Path: senator-bedfellow.mit.edu!dreaderd!not-for-mail
- Message-ID: <computer-virus/alt-faq/part1_953842042@rtfm.mit.edu>
- Supersedes: <computer-virus/alt-faq/part1_952514862@rtfm.mit.edu>
- Expires: 21 Apr 2000 20:07:22 GMT
- X-Last-Updated: 2000/02/29
- Organization: none
- From: George Wenzel <gwenzel@telusplanet.net>
- Newsgroups: alt.comp.virus,comp.virus,alt.answers,comp.answers,news.answers
- Followup-To: alt.comp.virus
- Subject: [alt.comp.virus] FAQ Part 1/4
- Approved: news-answers-request@MIT.EDU
- X-no-archive: yes
- Originator: faqserv@penguin-lust.MIT.EDU
- Date: 23 Mar 2000 20:09:03 GMT
- Lines: 702
- NNTP-Posting-Host: penguin-lust.mit.edu
- X-Trace: dreaderd 953842143 2960 18.181.0.29
- Xref: senator-bedfellow.mit.edu alt.comp.virus:101518 comp.virus:30976 alt.answers:47996 comp.answers:40195 news.answers:180074
-
- Archive-name: computer-virus/alt-faq/part1
- Posting-Frequency: Fortnightly
- URL: http://www.sherpasoft.org.uk/acvFAQ/
- Maintainer: Co-maintained by David Harley, Bruce Burrell, and George Wenzel
-
- -----BEGIN PGP SIGNED MESSAGE-----
-
- alt.comp.virus (Frequently Asked Questions)
- *******************************************
-
- Version 1.1 : Part 1 of 4
- Last modified 19th August 1999
-
-
- ("`-''-/").___..--''"`-._
- `6_ 6 ) `-. ( ).`-.__.`)
- (_Y_.)' ._ ) `._ `. ``-..-'
- _..`--'_..-_/ /--'_.' ,'
- (il),-'' (li),' ((!.-'
-
-
-
- ADMINISTRIVIA
- =============
- New or modified entries are flagged with two plus symbols at the
- beginning of the line or paragraph.
-
- Maintenance of this FAQ is now shared between the following:
-
- David Harley <D.Harley@icrf.icnet.uk>
- George Wenzel <gwenzel@telusplanet.net>
- Bruce Burrell <bpb@umich.edu>
-
- Suggestions, corrections, new material etc. may be sent to any of us,
- but will normally require the approval of all co-maintainers.
- Material which can be used with a minimum of editing is particularly
- welcome. Sometimes we are told that something should be in here which
- already is. Please check carefully. Suggestions for material which
- - - -isn't- already in is welcomed, but we're there's no guarantee as
- to if and when we'll write new material. If you give us a draft, it
- makes things much easier (and obviously you'll be credited).
-
- The <Viruses and the Macintosh> FAQ is now co-maintained by David Harley
- and Susan Lesch, and the authoritative version is the one at
- http://www.macvirus.com/.
-
- Disclaimer
- - - ----------
-
- This document is primarily concerned with defending the integrity of
- computing systems and preventing damage caused by viruses or other
- malicious and/or other unauthorized software. It attempts to address
- many of the issues which are frequently discussed on alt.comp.virus,
- but does not claim to represent all shades of opinion among the users of
- a.c.v. - in particular, it does not include information which, in our
- estimation, is likely to be of more help to those interested in the
- spreading of unauthorized and/or malicious software than to those
- who wish to be protected from it. Nor is it claimed to be up-to-date
- in all respects.
-
- This document is an honest attempt to help individuals with computer
- virus-related problems and queries. It can *not* be regarded as being
- in any sense authoritative, and has no legal standing. The authors
- accept no responsibility for errors or omissions, or for any ill effects
- resulting from the use of any information contained in this document.
-
- Not all the views expressed in this document are those of the maintainers,
- and those views which *are* those of the maintainers are not necessarily
- shared by their respective employers.
-
-
- Copyright Notice
- - - ----------------
-
- Copyright on all contributions to this FAQ remains with the authors
- and all rights are reserved. It may, however, be freely distributed
- and quoted - accurately, and with due credit.
-
- It may not be reproduced for profit or distributed in part or as
- a whole with any product or service for which a charge is made, except
- with the prior permission of the copyright holders. To obtain such
- permission, please contact one of the co-maintainers of the FAQ.
-
- Such permission will normally be forthcoming as long as
- (1) reproduced text is quoted accurately
- (2) it is made clear that such text is derived from the FAQ
- (3) it is made clear that the latest version of the FAQ is available
- from the newsgroup and from the official home of the FAQ on
- the world-wide web, which is currently
- <http://www.sherpasoft.org.uk/acvFAQ/>
- (4) the e-mail addresses of all co-maintainers of the FAQ are
- included as a contact point.
-
- The FAQ is also available at:
-
- http://www.faqs.org/faqs/computer-virus/alt-faq/
-
-
- - - ----------------------------------------------------------------------
-
- PREFACE
- =======
-
- (i) What is the FAQ, and whom is it for?
- -----------------------------------
-
- This FAQ is intended to make available answers to questions which
- are repeatedly asked on alt.comp.virus, and tries to gather the most
- useful information regarding this group and the issues discussed here
- into a relatively short document. The intention is to provide
- an easily-digested document for newcomers, as a means of saving those
- who regularly reply to posted questions having to re-invent the wheel
- each time.
-
- We recommend that you read this FAQ in conjunction with the comp.virus
- (VIRUS-L)FAQ, which gives more detailed information regarding some
- issues which are, inevitably, covered in both FAQs.
-
- The VIRUS-L/comp.virus FAQ is regularly posted to the comp.virus
- newsgroup. The latest version should be available at:
-
- http://www.faqs.org/faqs/computer-virus/faq/index.html
- ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip
-
- A very terse mini-FAQ maintained by George Wenzel is posted regularly
- to alt.comp.virus weekly and also available at:
- http://www.faqs.org/faqs/computer-virus/mini-faq/
-
- (ii) Credits/Acknowledgements
- ------------------------
-
- The following have contributed text and/or ideas and/or
- proofreading/corrections and/or URLs to the a.c.v. FAQ.
-
- Vesselin Bontchev, Dennis Boon, Bruce Burrell, Graham Cluley,
- Henri Delger, Edward Fenton, Nicola Ferri, Sarah Gordon, David Harley,
- R. Wallace Hale, Norman Hirsch, Matthew Holtz, Jan Hruska,
- Mikko H. Hypponen, Douglas A. Kaufman, Tom Kelchner, Paul Kerrigan,
- Chengi (Jimmy) Kuo, Susan Lesch, Gerard Mannig, Martin Overton,
- Mike Ramey, Perry Rovers, Tom Simondi, Megan Skinner, Fridrik Skulason,
- Robert Slade, Alan Solomon, Ken Stieers, Hector Ugalde, George Wenzel,
- Caroline Wilson, and Tarkan Yetiser.
-
- [Apologies to anyone who's fallen off the list.]
-
- Acknowledgement is also due to the work of Ken Van Wyk, former
- moderator of VIRUS-L/comp.virus, and the contributors to the
- comp.virus FAQ.
-
- Thanks also to ked@intac.com (aka Phreex), who mailed me a copy of the FAQ
- he posted to a.c.v. some months before this one was begun, David J. Loundy
- for assistance regarding legal issues, and to Nick FitzGerald, the
- moderator of comp.virus and maintainer of the comp.virus FAQ.
-
- (iii) Guide to posting etiquette
- --------------------------
-
- Messages asking for help posted to alt.comp.virus are more likely to
- receive a useful response if they conform to accepted standards of
- civility. The newsgroup news.announce.newusers includes information
- on good newsgroup etiquette, or try
-
- ftp://rtfm.mit.edu/pub/usenet/news.announce.newusers/
- http://www.fau.edu/rinaldi/netiquette.html
-
- However, adhering to the following guidelines would be particularly
- helpful:
-
- * Keep your lines short (say 72 characters per line), so that anyone
- who follows up doesn't have to reformat quoted text to keep it
- readable).
- * Don't quote all or most of a message you're following up unless it's
- either very short, or necessary in order to address each point made.
- In the latter case, please put the point you're answering close to
- your answer and try to format it so that it's readable. Remember that
- some people have to pay for connection/download time.
- * On the other hand, a message which says something like 'I totally
- agree' without including enough of the original for us to tell what
- you're agreeing with is a waste of bandwidth.
- * Keep it polite. It's unlikely that anyone who replies to your
- posting is being paid to do so, and it wouldn't excuse bad manners if
- they were. Of course, the cut and thrust of debate may be a different
- matter altogether....
- * Asking for a reply by direct e-mail may be reasonable if you need
- an urgent solution or are using a borrowed account. It isn't
- reasonable if you simply can't be bothered to check newsgroups.
- At least try to think up a good excuse, and be prepared to offer a
- summary to the group.
- * Check that there isn't already a thread on the subject you're
- asking about before posting yet another 'Has anyone heard of the GOOD
- TIMES virus?' message. If there is, check it first: the answer to
- your question may already be there (if it isn't in this document!).
- Please remember that many people have to pay for connect time, and
- don't appreciate duplicate postings or uuencoded binaries.
- * If you want to follow up a message which doesn't seem particularly
- relevant to alt.comp.virus, check the 'Newsgroups:' header: there
- have been a lot of responses to spammings recently which have made
- increased the bandwidth used, often quite unnecessarily.
- * Please don't post test messages here unless you really need to:
- use one of the newsgroups intended for the purpose: there is probably
- one local to your news server - ask your Systems Administrator,
- provider or local helpdesk. If you must post to the entire Internet,
- use misc.test - if you do, put the word IGNORE in your Subject: field,
- or you'll get auto-responder messages in your mail for weeks
- afterwards. Look through the postings in news.announce.newusers
- for relevant guidelines before you post.
- * If you get into an exchange of E-mail, please remember that
- not everyone can handle all forms of E-mail attachment (uuencoded,
- MIME format etc. - if it's text, *send* it as text. NB also that
- (uu)encoding text makes it longer as well as unreadable, so don't!
- * Don't assume that everyone uses or should use HTML-savvy mailers.
- There are good reasons why some people don't.
- * If you stick to what can be read easily on an 80 x 24 text window,
- -everyone- can read it.
-
-
- (iv) How to ask on the alt.comp.virus newsgroup for help
- ---------------------------------------------------
-
- The more relevant information you give us, the more we can help you.
- It helps to tell us the following:
-
- * What you think the problem is (you might think it's a virus, but
- maybe it isn't)
- * What the symptoms are. If you ran some software that gave you a
- message, tell us which package, version number, and the exact wording
- of the message.
- * Please be as accurate as possible about the order in which events
- happened.
- * If just one file is infected, give the filename.
- * If you're running more than one anti-virus product, please list
- them (including version number), and say what each one said about
- the possible virus.
- * Which version of which operating system you are running.
- * Any other configuration information which you think may have a bearing.
-
- Don't take action, then ask if that was the right action - if it
- wasn't, it's too late.
-
- Don't just ask "I've got xyz virus, can anyone help me".
-
- - - -------------------------------------------------------------------------
-
- Table of Contents
- *****************
-
- Part 1
- ------
-
- (1) I have a virus - what do I do?
- (2) Minimal glossary
- (3) What is a virus (Trojan, Worm)?
- (4) How do viruses work?
- (5) How do viruses spread?
- (6) How can I avoid infection?
- (7) How does antivirus software work?
-
- Part 2
- ------
-
- (8) What's the best anti-virus software
- (and where do I get it)?
- (9) Where can I get further information?
- (10) Does anyone know about
- * Mac viruses?
- * UNIX viruses?
- * macro viruses?
- * the AOLGold virus?
- * the PKZip300 trojan virus?
- * the xyz PC virus?
- * the Psychic Neon Buddha Jesus virus?
- * the blem wit virus
- * The Irina Virus
- * Ghost
- * General Info on Hoaxes/Erroneous Alerts
- (11) Is it true that...?
- (12) Favourite myths
- * DOS file attributes protect executable files from
- infection
- * I'm safe from viruses because I don't use bulletin
- boards/shareware/Public Domain software
- * FDISK /MBR fixes boot sector viruses
- * Write-protecting suspect floppies stops infection
- * The write-protect tab always stops a disk write
- * I can infect my system by running DIR on an infected
- disk
- Part 3
- ------
-
- (13) What are the legal implications of computer viruses?
-
- Part 4
- ------
-
- (14) Miscellaneous
-
- Are there anti-virus packages which check zipped/archived files?
- What's the genb/genp virus?
- Where do I get VCL and an assembler, & what's the password?
- Send me a virus.
- It said in a review......
- Is it viruses, virii or what?
- Where is alt.comp.virus archived?
- What about firewalls?
- Viruses on CD-ROM.
- Removing viruses.
- Can't viruses sometimes be useful?
- Do I have a virus, and how do I know?
- What should be on a (clean) boot disk?
- How do I know I have a clean boot disk?
- What other tools might I need?
- What are rescue disks?
- Are there CMOS viruses?
- How do I know I'm FTP-ing 'good' software?
- What is 386SPART.PAR?
- Can I get a virus to test my antivirus package with?
- When I do DIR | MORE I see a couple of files with funny names...
- Reasons NOT to use FDISK /MBR
- Why do people write/distribute viruses?
- Where can I get an anti-virus policy?
- Are there virus damage statistics?
- What is ICSA approval?
- What language should I write a virus in?
- No, seriously, what language are they written in?
- [DRD], Doren Rosenthal, the Universe and Everything
- What are CARO and EICAR?
-
- - - -------------------------------------------------------------------------
-
- (1) I have a virus problem - what do I do?
- ==========================================
-
- The following guidelines will, one hopes, be of assistance. However,
- you may get better use out of them if you read the rest of this
- document before acting rashly...
-
- If you think you may have a virus infection, *stay calm*. Once
- detected, a virus will rarely cause (further) damage, but a
- panic action might. Bear in mind that not every one who thinks s/he
- has a virus actually does (and a well-documented, treatable virus
- might be preferable to some problems!). Reformatting your hard disk
- is almost certainly unnecessary and very probably won't kill the
- virus.
-
- If you've been told you have something exotic, consider the
- possibility of a false alarm and check with a different package.
-
- If you have a good antivirus package, use it. Better still, use more
- than one. If there's a problem with the package, use the publisher's
- tech support and/or try an alternative package. If you don't have a
- package, get one (see section on sources below). If you're using
- Microsoft's package (MSAV) get something less out-of-date.
-
- Follow the guidelines below as far as is practicable and applicable
- to your situation.
-
- Try to get expert help *before* you do anything else. If the problem
- is in your office rather than at home there may be someone whose job
- includes responsibility for dealing with virus incidents.
-
- Follow the guidelines below as far as is practicable and applicable.
-
- * Do not attempt to continue to work with an infected system, or let
- other people do so.
- * Generally, it's considered preferable to switch an infected
- system off until a competent person can deal with it: don't allow
- other people to use it in the meantime. If possible, close down
- applications, Windows etc. properly and allow any caches/buffers
- to flush, rather than just hit the power switch.
- * If you have the means of checking other office machines for
- infection, you should do so and take appropriate steps if an
- infection is found.
- * If you are unable to check other machines, assume that all
- machines are infected and take all possible steps to avoid
- spreading infection any further.
- * If there are still uninfected systems in the locality, don't use
- floppy disks on them [except known clean write-protected DOS boot
- floppies]
- * users of infected machines should not *under any circumstances *
- trade disks with others until their systems and disks are cleaned.
- * if the infected system is connected to a Novell network, Appleshare
- etc., it should be logged off all remote machines unless someone
- knowledgeable says different. If you're not sure how to do this,
- contact whoever is responsible for the administration of the
- network. You should in any case ensure that the network administrator
- or other responsible and knowledgeable individual is fully aware of
- the situation.
- * No files should be exchanged between machines by any other means
- until it's established that this can be done safely.
- * Ensure that all people in your office and anyone else at risk are
- aware of the situation.
- * Get *all* floppy disks together for checking and check every one.
- This includes write-protected floppies and program master disks.
- Check all backups too (on tape or file servers as well as on floppy).
-
-
- (2) Minimal Glossary
- ====================
-
- [There is room for improvement and expansion here. Contributions
- will be gratefully accepted.]
-
- * AV - AntiVirus. Sometimes applied as a shorthand term for
- anti-virus researchers/programmers/publishers - may include
- those whose work is not AV research, but includes
- virus-control. (See also Vx.)
- * BSI - Boot Sector Infector (= BSV - Boot Sector Virus)
- * BIOS - Basic Input Output System
- * CMOS - Memory used to store hardware configuration information
- * DBR - DOS Boot Record
- * DBS - DOS Boot Sector
-
- * False Positive - When an antivirus program incorrectly reports a
- virus in memory or infecting a file or system area.
- Heuristic scanners & integrity checkers are, by
- definition, somewhat more prone to these. Also known
- as false alarms, though this may have a wider
- application.
- * False Negative - Essentially, a virus undetected by an antivirus
- program.
- * In-the-wild - describes viruses known to be spreading
- uncontrolled to real-life systems, as opposed to
- those which exist only in controlled situations
- such as anti-virus research labs. Virus code
- which has been published but not actually found
- spreading out of control is not usually regarded
- as being in-the-wild.
- * MBR - Master Boot Record (Partition Sector)
- * TSR - A memory-resident DOS program, i.e one which remains in
- memory while other programs are running. A good TSR should
- at least detect all known in-the-wild viruses and a good
- percentage of other known viruses. Generally, TSRs are not
- so good with polymorphic viruses, and should not be relied on
- exclusively. Most TSR scanners don't detect macro viruses.
- * vx - Those who study, exchange and write viruses, not necessarily
- with malicious intentions So we're frequently told here...
- * VxD - A Windows program which can run in the background. A scanner
- implemented as a VxD has nearly all the advantages of a DOS TSR,
- but can have additional advantages: for instance, a good VxD
- will scan continuously *and* for all the viruses detected by an
- on-demand scanner.
- * Zoo - suite of viruses used for testing.
-
- See the comp.virus FAQ for fuller definitions of some of these terms and
- others which aren't addressed here.
-
- (3) What is a virus (and what are Trojans and Worms)?
- =====================================================
-
- A (computer) virus is a program (a block of executable code) which
- attaches itself to, overwrites or otherwise replaces another program
- in order to reproduce itself without the knowledge of the PC user.
-
- Most viruses are comparatively harmless, and may be present for
- years with no noticeable effect: some, however, may cause random
- damage to data files (sometimes insidiously, over a long period)
- or attempt to destroy files and disks. Others cause unintended
- damage. Even benign viruses (apparently non-destructive viruses)
- cause significant damage by occupying disk space and/or main
- memory, by using up CPU processing time, and by the time and expense
- wasted in detecting and removing them.
-
- A Trojan Horse is a program intended to perform some covert
- and usually malicious act which the victim did not expect or want.
- It differs from a destructive virus in that it doesn't reproduce,
- (though this distinction is by no means universally accepted).
-
- A dropper is a program which installs a virus or Trojan, often
- covertly.
-
- A worm is a program which spreads (usually) over network
- connections. Unlike a virus, it does not attach itself to a
- host program. In practice, worms are not normally associated
- with personal computer systems. There is an excellent
- and considerably longer definition in the Mk. 2 version of the
- Virus-L FAQ.
-
- (The following is a slightly academic diversion)
-
- A lot of bandwidth is spent on precise definitions of some of
- the terms above. I have Fridrik Skulason's permission to include
- the following definition of a virus, which I like because it
- demonstrates most of the relevant issues.
-
- #1 A virus is a program that is able to replicate - that is, create
- (possibly modified) copies of itself.
-
- #2 The replication is intentional, not just a side-effect.
-
- #3 At least some of the replicants are also viruses, by this
- definition.
-
- #4 A virus has to attach itself to a host, in the sense that execution
- of the host implies execution of the virus.
- --
- #1 is the main definition, which distinguishes between viruses and Trojans
- and other non-replicating malware.
-
- #2 is necessary to exclude for example a disk-copying program copying a
- disk, which contains a copy of itself.
-
- #3 is necessary to exclude "intended" not-quite-viruses.
-
- #4 is necessary to exclude "worms", but at the same time it has to be
- broad
- enough to include companion viruses and .DOC viruses.
-
- (4) How do viruses work?
- ========================
-
- A file virus attaches itself to a file (but see the section below
- or the comp.virus FAQ on the subject of companion viruses), usually
- an executable application (e.g. a word processing program or a DOS
- program). In general, file viruses don't infect data files. However,
- data files can contain embedded executable code such as macros, which
- may be used by virus or trojan writers. Recent versions of Microsoft
- Word are particularly vulnerable to this kind of threat. Text files
- such as batch files, postscript files, and source code which contain
- commands that can be compiled or interpreted by another program are
- potential targets for malware (malicious software), though such malware
- is not at present common.
-
- Boot sector viruses alter the program that is in the first sector
- (boot sector) of every DOS-formatted disk. Generally, a boot
- sector infector executes its own code (which usually infects the boot
- sector or partition sector of the hard disk), then continues the PC
- bootup (start-up) process. In most cases, all write-enabled floppies
- used on that PC from then on will become infected.
-
- Multipartite viruses have some of the features of both the above
- types of virus. Typically, when an infected *file* is executed, it
- infects the hard disk boot sector or partition sector, and thus
- infects subsequent floppies used or formatted on the target system.
-
- Macro viruses typically infect global settings files such as Word
- templates so that subsequently edited documents are contaminated
- with the infective macros.
-
- The following virus types are more fully defined in the
- comp.virus FAQs (see preamble):
-
- * STEALTH VIRUSES - viruses that go to some length to
- conceal their presence from programs which might notice.
- * POLYMORPHIC VIRUSES - viruses that cannot be detected by
- searching for a simple, single sequence of bytes in a
- possibly-infected file, since they change with every
- replication.
- * COMPANION VIRUSES - viruses that spread via a file which
- runs instead of the file the user intended to run, and
- then runs the original file. For instance, the file
- MYAPP.EXE might be 'infected' by creating a file called
- MYAPP.COM. Because of the way DOS works, when the user
- types MYAPP at the C> prompt, MYAPP.COM is run instead of
- MYAPP.EXE. MYAPP.COM runs its infective routine, then
- quietly executes MYAPP.EXE. N.B. this is not the *only*
- type of companion (or 'spawning') virus.
- * ARMOURED VIRUSES - viruses that are specifically written
- to make it difficult for an antivirus researcher to find
- out how they work and what they do.
-
- (5) How do viruses spread?
- ==========================
-
- A PC is infected with a boot sector virus (or partition sector
- virus) if it is (re-)booted (usually by accident) from an infected
- floppy disk in drive A. Boot Sector/MBR infectors are the most
- commonly found viruses, and cannot normally spread across a network.
- These (normally) spread by accident via floppy disks which may come
- from virtually any source: unsolicited demonstration disks,
- brand-new software (even from reputable sources), disks used on
- your PC by salesmen or engineers, new hardware, or repaired hardware.
-
- A file virus infects other files when the program to which it is
- attached is run, and so *can* spread across a network (often very
- quickly). They may be spread from the same sources as boot sector
- viruses, but also from sources such as Internet FTP sites and
- bulletin boards. (This applies also to Trojan Horses.)
-
- A multipartite virus infects boot sectors *and* files. Often,
- an infected file is used to infect the boot sector: thus, this is
- one case where a boot sector infector could spread across a network.
-
-
- (6) How can I avoid infection?
- ==============================
-
- There is no way to guarantee that you will avoid infection. However,
- the potential damage can be minimized by taking the following
- precautions:
-
- * make sure you have a clean boot disk - test with whatever (up-to-date!)
- antivirus software you can get hold of and make sure it is (and stays)
- write-protected. Boot from it and make a couple of copies.
- * use reputable, up-to-date and properly-installed anti-virus
- software regularly. (See below) If you use a shareware package
- for which payment and/or registration is required, do it. Not only
- does it encourage the writer and make you feel virtuous, it means
- you can legitimately ask for technical support in a crisis.
- * do some reading (see below). If you're a home user, you may well
- get an infection sooner or later. If you're a business user, it'll
- be sooner. Either way you'll benefit from a little background.
- If you're a business user you (or your enterprise) need a policy.
- * don't rely *solely* on newsgroups like this to get you out of
- trouble: it may be a while before you get a response (especially
- from a moderated group like comp.virus), and the first response
- you act upon may not offer the most appropriate advice for your
- particular problem.
- * if you use a shareware/freeware package, make sure you have hard
- copy of the documentation *before* your system falls apart!
- * always run a memory-resident scanner to monitor disk access and
- executable files before they're run.
- * if you run Windows, a reputable anti-virus package which includes
- DOS *and* Windows components is likely to offer better protection
- than a DOS only package. If you run Windows 95, you need a proper
- Win95 32-bit package for full protection.
- * make sure your home system is protected, as well as your work PC.
- * check all new systems and all floppy disks when they're brought
- in (from *any* source) with a good virus-scanning program.
- * acquire software from reputable sources: 2nd-hand software is
- frequently unchecked and sometimes infected. Bear in mind that
- shrinkwrapped software isn't necessarily unused. In any case,
- reputable firms have shipped viruses unknowingly.
- * once formatted, keep floppies write-disabled except when you need
- to write a file to them: then write-disable them again.
- * make sure your data is backed up regularly and that the procedures
- for restoring archived data *work* properly.
- * scan pre-formatted diskettes before use.
- * Get to know all the components of the package you're using and
- consider which bits to use and how best to use them. Different
- packages have different strengths: diversifying and mixing and
- matching can, if carefully and properly done, be a good antivirus
- strategy, especially in a corporate environment
- * if your PC can be prevented with a CMOS setting from booting with a
- disk in drive A, do it (and re-enable floppy booting temporarily when
- you need to clean-boot).
-
- CMOS settings
- - - -------------
-
- Some CMOSes come with special anti-virus settings. These are normally
- vague about what they do but typically they write-protect your hard
- disk's boot sector and partition sector (MBR). This can be some use
- against boot sector viruses but may false alarm when you upgrade your
- operating system.
-
- One sensible setting to make (if your CMOS allows) is to adjust the
- boot sequence of your PC. Changing the default boot-up drive order
- from A: C: to C: will mean that the PC will attempt to boot from drive
- C: even if a floppy disk has been left in drive A:. This way boot
- sector virus infection can often be avoided. Remember, however, to set
- your CMOS back temporarily if you ever *do* want to boot clean from
- floppy (for example, when running a cryptographical checksummer
- after a cold boot).
-
- SCSI controllers have their own BIOS. On some systems, this will
- override the boot sequence set in CMOS. It's always a good idea
- to check with a (known clean) bootable floppy after you've
- disabled floppy booting that it really is disabled. I don't think
- it's necessary to use the Rosenthal Simulator to do this, thank
- you, Doren.
-
- (7) How does antivirus software work?
- - - -------------------------------------
-
- * Scanner (conventional scanner, command-line scanner, on-demand
- scanner) - a program that looks for known viruses by checking for
- recognisable patterns ('scan strings', 'search strings',
- 'signatures' [a term best avoided for its ambiguity]).
- * TSR scanner - a TSR (memory-resident program) that checks for
- viruses while other programs are running. It may have some of
- the characteristics of a monitor and/or behaviour blocker.
- * VxD scanner - a scanner that works under Windows or perhaps under
- Win 95, or both), which checks for viruses continuously while
- you work.
- * Heuristic scanners - scanners that inspect executable files for
- code using operations that might denote an unknown virus.
- * Monitor/Behaviour Blocker - a TSR that monitors programs while
- they are running for behaviour which might denote a virus.
- * Change Detectors/Checksummers/Integrity Checkers - programs that
- keep a database of the characteristics of all executable files on
- a system and check for changes which might signify an attack by
- an unknown virus.
- * Cryptographic Checksummers use an encryption algorithm to lessen
- the risk of being fooled by a virus which targets that particular
- checksummer.
-
- - - ---------------------------------------------------------------------
-
- End of a.c.v. FAQ Part 1 of 4
-
-
- -----BEGIN PGP SIGNATURE-----
- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
- Comment: PGP Key ID 0xDCC35C75 available on Keyservers
-
- iQCVAwUBOLvlLLcpzG7cw1x1AQFOagQApMdBjccOExlbB42DTM5WCPeeK3SB1pqf
- KwbK3pok3c+8aolZpxr5TsIteVdMoJ2ATjOP13/SK02DPigUHzw7kn69C35ZDOh7
- 6n1F5RTzVLKXUB8wedU78ZAWS5hh/JY/EyM7718vAHT6kpgviaNK7MvxXxatPwDB
- LUiW7ziicS8=
- =WgMU
- -----END PGP SIGNATURE-----
-
-