home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!spool.mu.edu!howland.reston.ans.net!zaphod.mps.ohio-state.edu!cis.ohio-state.edu!news.sei.cmu.edu!cert!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Newsgroups: comp.virus
- Subject: Re: Vshield vs Virstop (PC)
- Message-ID: <0015.9301121242.AA22066@barnabas.cert.org>
- Date: 7 Jan 93 13:44:59 GMT
- Sender: virus-l@lehigh.edu
- Lines: 34
- Approved: news@netnews.cc.lehigh.edu
-
- bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) writes:
-
- > There are several problems with the integrity checking by Scan, and
- > Vshield.
- >
- > 1. Some programs will not run after the CRC is added to the file. So it is
- > necessary to remove the CRC. Scan filename /RV will remove the CRC.
-
- Yes, but there is another option, which puts the checksums in a
- separate file, instead of attached to the checksummed executables.
- Nevertheless, there are much more serious problems:
-
- > 2. These CRCs will not detect stealth infectors because stealth viruses
- > disinfects infected files when an infected file is opened for any
- > reason.
-
- > 3. These CRCs will not detect the presence of companion infectors because
- > these companion infectors do not attach to files.
-
- 4. The particular CRCs used are trivial to forge.
-
- 5. The integrity checker is not aware of many of the existing
- attacks against integrity checking software (described in my paper).
- You mentioned two of them - stealth viruses and companion viruses, but
- there are many more and almost any of them can be used to bypass the
- integrity checking of VShield.
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
-