Simply put, GateKeeper attempts to make it impossible (or as difficult as possible) for viruses to spread or function successfully in its domain. It does so by monitoring and limiting access to certain system operations on which viruses depend. Thus GateKeeper is a general purpose tool in the fight against viruses, as opposed to programs written to stop only a specific virus or set of viruses.
Once configured, GateKeeper operates without the need for intervention by the user. It provides facilities for warning the user of its intervention in the operation of the system, but will never require that the user make decisions on-the-fly about what operations should be allowed to occur or forced to fail. GateKeeper ensures that such decisions are made automatically, transparently to the user and with total consistency. It will also, if requested, keep a detailed log of all such decisions for later review.
GateKeeper is NOT a virus removal/repair utility. GateKeeper endeavors to prevent viruses from infecting your system in the first place, and attempts to render them harmless if they should find their way in.
GateKeeper also provides powerful diagnostic facilities for those intent on tracking and analyzing viruses in the form of a log file to which records of the critical operations attempted by viruses are written.
GateKeeper is known to be effective against the Scores, nVIR, Hpat, INIT 29, ANTI, AIDS and MEV# viruses.
GateKeeper is an extremely capable anti-virus/virus control tool, but it isnΓÇÖt necessarily the complete virus solution. In order to help keep your system virus-free, consider the following recommendations:
ΓÇó Use GateKeeper. Avoid engaging the Override mode, or granting privileges to applications unless itΓÇÖs really necessary.
ΓÇó Use John NorstadΓÇÖs ΓÇ£DisinfectantΓÇ¥ virus detection and repair program (version 1.1 or better). Remember that to use it with GateKeeper youΓÇÖll need to place GateKeeper in Override mode or grant Disinfectant all privileges.
ΓÇó Check the GateKeeper Log file periodically for records of operations other than ΓÇ£Installation,ΓÇ¥ ΓÇ£System Shutdown,ΓÇ¥ ΓÇ£Log File,ΓÇ¥ and ΓÇ£Override.ΓÇ¥ Other operations are likely to be virus related.
ΓÇó DonΓÇÖt pirate software. Apart from all of the other good reasons, pirated software has usually gone through many hands and, consequently, has had many opportunities to pick up viruses. Pirates are not, by definition, the sort of people you should ever trust.
ΓÇó If you use public domain software, get it from known, reliable and responsible sources. Then check it anyway.
There are three controls always visible and available in GateKeeper: the ΓÇ£OverrideΓÇ¥ and ΓÇ£HelpΓÇ¥ push buttons, and the ΓÇ£Info/SettingsΓÇ¥ slide bar.
ΓÇ£OverrideΓÇ¥ puts GateKeeper in a mode in which it will allow any program to do anything no matter how virus-like it may appear. Override will stay on for thirty minutes (so you donΓÇÖt accidentally leave it on), until you turn it off, or until the system is rebooted.
ΓÇ£HelpΓÇ¥ displays the GateKeeper help text (the stuff youΓÇÖre reading now). To exit the help mode, click on the question mark again, or use the ΓÇ£Info/SettingsΓÇ¥ switch.
ΓÇ£Info/SettingsΓÇ¥ displays either the basic information text which appears when GateKeeper is first opened in the Control Panel, or the controls for setting application privileges.
A few applications, INITs, etc. depend on performing operations that appear virus-like to GateKeeper. For this reason it may be necessary to configure GateKeeper. The process consists of telling GateKeeper what applications are allowed to perform suspicious operations, and just what kinds of operations those are.*ΓÇá
Privileged applications are identified by name. GateKeeper does not concern itself with where an application is stored (either by folder or by disk), only with what it is named. If youΓÇÖre concerned about users changing the names of privileged items, use a utility like ResEdit to set the System bit for those files. This prohibits name changes in the Finder.
There are two basic classes of privileges: Resource (Res) and File. Within each class there are three different cases in which privileges may granted/denied: Other, System (Sys) and Self. These specify what files may be modified, e.g. ΓÇ£SelfΓÇ¥ specifies that the application may make modifications to itself, and ΓÇ£OtherΓÇ¥ indicates that an application can make modifications to files other than itself and the System file.
The Resource (Res) class of privileges is concerned with the modification, addition and removal of resources in which the component(s) of programs are stored. Operations on other types of resources are not controlled.
The File class of privileges is concerned with modifications to file information for files containing programs (this not only includes applications, but system files like Startup documents, and Control Panel documents). Note that file information should be understood to mean information ABOUT files, as opposed to the information CONTAINED IN files.
GateKeeperΓÇÖs configuration controls are normally hidden. To access them, click on the Info/Settings sliding switch until it appears in the ΓÇ£SettingsΓÇ¥ position.
NOTIFY ONLY
NOTIFY & VETO
Two radio buttons are available in the ΓÇ£When AttackedΓÇ¥ area. These let you tell GateKeeper whether it should monitor operations without interfering (ΓÇ£Notify OnlyΓÇ¥) or whether it should stop suspicious operations (ΓÇ£Notify & VetoΓÇ¥).
USER ALERT
LOG FILE
Two check boxes in the ΓÇ£Notification MethodΓÇ¥ area allow you to choose the manner in which GateKeeper informs you of suspicious operations it has monitored/stopped. The ΓÇ£User AlertΓÇ¥ check box allows you to request that alerts be used to inform you of GateKeeperΓÇÖs activities. This option is only available on Macintoshes using System 6.0 or better. The ΓÇ£Log FileΓÇ¥ check box permits you to request that all activities be recorded in the GateKeeper Log file.
INTERNAL ERRORS
USER ALERT
The ΓÇ£User AlertΓÇ¥ check box in the ΓÇ£If Error OccursΓÇ¥ area allows you to specify whether or not errors generated within GateKeeper should be presented by alert. This option is only available when the ΓÇ£User AlertΓÇ¥ check box in the ΓÇ£Notification MethodΓÇ¥ area is checked. Internal errors will be recorded in the log file if it is turned on.
Internal errors are very rare and are generally caused by bugs in applications. In order to ΓÇ£cureΓÇ¥ an application of internal errors, grant it all three File privileges.
ICON
The “Icon” check box in the “At Startup” area let’s you choose whether or not GateKeeper’s icon will be displayed on the screen during system startup. This is a purely æsthetic matter that does not affect GateKeeper’s ability to protect against viruses.
WHEN COMPARING NAMES
Two check boxes in the ΓÇ£When Comparing NamesΓÇ¥ area allow you to regulate how strict GateKeeper is when comparing names in the process of determining whether a program has privileges or not.
IGNORE CASE
The setting of the ΓÇ£Ignore CaseΓÇ¥ check box determines whether or not upper- and lower- case letters are considered to match, i.e. if ΓÇ£Ignore CaseΓÇ¥ is checked, a name like ΓÇ£Font/DA MoverΓÇ¥ WILL be considered to match the name ΓÇ£font/da moverΓÇ¥ even though some of the letters are not of the same case.
MATCH BEGINNINGS
The setting of the ΓÇ£Match BeginningsΓÇ¥ check box specifies whether or not a match between a name in the privilege list and the beginning of a programΓÇÖs name should be considered significant. By way of example, suppose GateKeeper is trying to decide whether or not a program named ΓÇ£Font/DA Mover 3.8ΓÇ¥ has privileges and it finds that a program named merely ΓÇ£Font/DA MoverΓÇ¥ is present in the privilege list. If ΓÇ£Match BeginningsΓÇ¥ is turned on, the two names will be considered to match, and ΓÇ£Font/DA Mover 3.8ΓÇ¥ will be granted the privileges given to ΓÇ£Font/DA MoverΓÇ¥. If ΓÇ£Match BeginningsΓÇ¥ were turned off, the two names would not be considered to match and ΓÇ£Font/DA Mover 3.8ΓÇ¥ would not be granted any privileges.
NOTE: If ΓÇ£Match BeginningsΓÇ¥ is turned on, leading spaces (both normal and non-breaking) are ignored. This is true for both program names and the names in the privilege list.
PRIVILEGE LIST
The list that appears is the list of applications that have been granted privileges of some kind. Beneath it are the check boxes that permit you define those privileges. To the right of the list are three buttons: “Add…”, “Edit…” and “Clear”. “Add…” permits you to add an item to the list using the standard “Open…” dialog box. You can compel GateKeeper to display files regardless of their types by holding down the option key when clicking on the “Add…” button. “Edit…” lets you change the name of the list’s currently selected item. “Clear” allows you to remove the currently selected item from the list.
So how do you know when to grant privileges to a program? Before running a program for the first time, you should use your most trustworthy anti-virus disk scanning utility to check the program for viruses - otherwise you wonΓÇÖt know whether you are granting privileges to the program or a virus implanted within the program.
Once the program has been given a clean bill of health, go to the settings section of GateKeeper in the Control Panel. Make certain that the check box labeled ΓÇ£User AlertΓÇ¥ in the ΓÇ£Notification MethodΓÇ¥ area is checked, and that the radio button labeled ΓÇ£Notify OnlyΓÇ¥ in the ΓÇ£When AttackedΓÇ¥ area is highlighted. This tells GateKeeper NOT to stop suspicious operations, but to notify you that they occurred using an alert. The alert will tell you exactly what privilege was violated by the program.
If youΓÇÖre worried that an application is infected with a virus that isnΓÇÖt detected by your virus detection utility (which is a possibility that should not be ignored), you may want to use the ΓÇ£Notify & VetoΓÇ¥ mode while testing it. A well written application should be able to cope gracefully with any operations that are vetoed by GateKeeper in the course of your testing. Unfortunately, thereΓÇÖs no way of knowing in advance whether an application actually is well enough written to cope gracefully, so be prepared for the possibility of some System Errors.
When you do run the program, be sure to put it through its paces - try out most operations - so that youΓÇÖll be as likely as possible to discover all of the privileges it requires. Most programs do not require privileges, but care should always be taken to discover what (if any) privileges a program needs.
*WARNING: Unless you want to effectively copy protect the applications and system files on your Mac (which has its uses), the Finder should be granted ΓÇ£FileΓÇ¥ privileges on ΓÇ£OtherΓÇ¥ files. The Finder should NOT be granted RES privileges ΓÇô it doesnΓÇÖt need them.
ΓÇáNOTE: If you should encounter an INIT or cdev that is fundamentally incompatible with GateKeeper, i.e. it crashes because of the mere presence of GateKeeper no matter what privileges it is granted, the INIT or cdev should be renamed so that it appears prior to GateKeeper in the FinderΓÇÖs ΓÇ£View By NameΓÇ¥ mode. The best way to do this is to add two spaces to the beginning of the fileΓÇÖs name. To do so, name the file ΓÇ£x..FileNameΓÇ¥ (where ΓÇ£.ΓÇ¥ is understood to be a space, and ΓÇ£FileNameΓÇ¥ is the fileΓÇÖs original name), then finish renaming it by going back and deleting the ΓÇ£xΓÇ¥. The are no longer any INITs or cdevs known to be fundamentally incompatible with GateKeeper, so youΓÇÖll probably never need to worry about this.
GateKeeper maintains a log file containing a record of all events that occur on a system which appear significant to it.
The log file is a text-only data file. All records in the log contain ten fields. Fields are separated by tabs and records are separated by carriage returns. This makes the file suitable for use with most word processors and spreadsheets. (Of course, the fields wonΓÇÖt line up in columns unless you take a few moments to set the necessary tab stops in your word processor.)
Although the contents of most of the fields are strictly defined, several fields will contain different information depending on the operation being recorded.
The first two fields will always contain the date and time at which the record was made. The third field contains the privilege (if any) that was violated by this operation. The fourth field contains the name of the operation that is the subject of the record. The following two fields will contain different information depending on the operation. For resource operations, field 5 will contain a resource type and field 6 will contain an ID number for the ΓÇ£victimΓÇ¥ resource. For file operations, field 5 will contain a fileΓÇÖs original type and field 6 will contain the type it would have been changed to. For other operations (GateKeeper installation, system shutdown, etc.) field 5 contains the total number of writes made to the system disk, and field 6 is empty.
The remaining fields always contain the same type of information (where applicable). Fields 7 and 8 contain the name of the file which was to be the ΓÇ£victimΓÇ¥ of the operation and the name of disk it was stored on. Fields 9 and 10 contain the same information for the ΓÇ£attacker.ΓÇ¥
The lists of resources and file types protected by GateKeeper are stored in resources in the GateKeeper file; using ResEdit it is possible to exercise significant control over the protection afforded by GateKeeper.
The list resources are of type 'Type'. They are arrays of resource/file types headed by a long-word containing the number of types in the array. Resource 1 contains the list of ΓÇ£SacredΓÇ¥ resources, i.e. the ones that need protecting. By default this is a list of about 24 standard resource types known to contain executable code. Resource 2 contains the list of ΓÇ£EvilΓÇ¥ resources ΓÇô the ones created solely by and for viruses. The same restrictions that apply to sacred resources also apply to evil resources except that evil resources may be deleted. Resource 3 contains the list of ΓÇ£SacredΓÇ¥ file types, i.e. file types that are understood to contain executable code or are otherwise considered significant to the system.
Please be EXTREMELY careful if distributing modified copies of GateKeeper - both the operation and reputation of this product depend on complete and accurate lists of the aforementioned types.
GateKeeper is free for non-commercial public distribution. This means that you canΓÇÖt charge for it or bundle it with a product without my express written permission. Bulletin-board systems are the sole exceptions to this rule.
PICT Control CDEF version 1.0.2 provided by Chris Johnson, ©1989.
The PICT Control CDEF is also free, and may be used to create an extraordinary variety of custom controls in any Macintosh application. If youΓÇÖre interested in making use of the PICT Control CDEF be sure to get a copy of the installer/editor/demo application which contains complete on-line help and a host of sample control types.
ItΓÇÖs important to keep your copy of GateKeeper up to date in order to help guarantee its safe and reliable operation.
If you do not have access to a reliable source of up-to-date publicly available software, you (or your local user’s group, BBS, network administrator, etc.) can send a self addressed, stamped, letter size envelope and 25¢ (to cover printing costs) to the address in the “Bug Reports” section below. I’ll try to keep you informed of the availability of new versions of GateKeeper, as well as the discovery of new viruses.
When updates become available this will make it possible for me to notify you and explain how you can get the update ΓÇô in the mean time, please donΓÇÖt send diskettes.
I can be reached with questions, suggestions, bug reports, donations, job offers and other testaments of appreciation as…
US Mail:
Chris Johnson
3311 Red River #305
Austin, TX 78705
Internet:
chrisj@emx.utexas.edu
UUCP:
{husc6|uunet}!cs.utexas.edu!ut-emx!chrisj
AppleLink:
chrisj@emx.utexas.edu@dasnet#
IΓÇÖm always happy to reply to any mail that seems to need a reply. If youΓÇÖre using US Mail it may take a bit of time, but including a SASE does help to speed up the process.
Thanks to the version 1.1.1 testers: Dale M. Arends, Steve Baumgarten, Thomas R. Blake, Dave Busse, Bill Engels, Zbigniew Fiedorowicz, Ed Fortmiller, Jeff Harrow, Steven Johnson, Vahe Kassardjian, Zev Klein, Bill Lipa, Stuart A. Malone, Andrew Mason, Mike Merrifield, John Norstad, Edward Olsen, Dave Platt, Alexis Rosen, John Salmento, Rich Siegel, Robert Stewart, Robert J. Thum and Walter Vogel.
Thanks to Paul Mercer, Darin Adler, and Paul Snively for creating ShowINIT.
GateKeeper was written in Lightspeed CΓäó, version 3.01p3. ItΓÇÖs an excellent product - if youΓÇÖre looking for a development system, consider it recommended strongly.
DISCLAIMER: My employer had no involve- ment with this project.
