home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!olivea!decwrl!elroy.jpl.nasa.gov!usc!wupost!darwin.sura.net!jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics)
- Newsgroups: comp.virus
- Subject: Re: On integrity checking (PC)
- Message-ID: <0013.9209021551.AA11708@barnabas.cert.org>
- Date: 31 Aug 92 03:18:19 GMT
- Sender: virus-l@lehigh.edu
- Lines: 28
- Approved: news@netnews.cc.lehigh.edu
-
- tck@netlink.cts.com (Kevin Marcus) writes:
- > Hey, Vesselin, all that talk about new products and detecting unknown
- > viruses... Blech. Wouldn't this fool an integrity checker, if the
- > virus were installed to a new system...
-
- I guess an integrity checker could limit the spread and warn of the
- presence, but not stop a virus-infected program being put onto the
- system.
-
- > Assume a stealth virus, which disinfected on the fly - really flying -
- > disinfecting on file opens, reinfecting on a file close, and also on
- > findfirst/next calls. If the virus is unknown to the integrity
- > checker, then woulnd't it fake it out if it were in memory at the time
- > of the scanning?
-
- If the change detector uses standard DOS calls (or even BIOS) then it
- stands to get fooled. But it doesn't have to. As for an integrity
- checker doing its thing as part of the program execute sequence, it is
- a good idea to use this in conjunction with other anti-viral
- precautions, e.g. ones that check whether important BIOS and DOS
- vectors have changed. There is still a way a virus can get around
- this, but it is difficult, and requires the virus know about the
- particular change detector that is running. And viruses that go to
- such an extent will be obvious to other, elementary, change detectors
- (e.g. ones that simply look for changes to particular parts of system
- memory).
-
- Mark Aitchison, University of Canterbury.
-
