Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!accuvax.nwu.edu!jln From: jln@accuvax.nwu.edu (John Norstad) Newsgroups: comp.sys.mac Subject: Re: Disinfectant Message-ID: <908@accuvax.nwu.edu> Date: 18 Jul 89 16:38:54 GMT References: <269.24AE0D88@bmug.FIDONET.ORG> Sender: news@accuvax.nwu.edu Reply-To: jln@accuvax.nwu.edu (John Norstad) Organization: Northwestern Univ. Evanston, Il. Lines: 64 Michael Pearce writes: > I thank you for Disinfectant. You are welcome. Since I released Disinfectant several months ago I've gotten tons of mail from people thanking me for the program, and it's been very gratifying. I'm very happy that it has helped so many people. > I would like to make a suggestion, though: Can you modify the > next version so that an infected copy will still work? > > ... Description of a "bootstrapping" process to get from an > infected system, including an infected copy of Disinfectant, to > an uninfected system, including an uninfected copy of > Disinfectant. As you are aware, when Disinfectant is run it checks itself to see if it has been modified. If a change is detected, an alert is presented informing the user that the copy of Disinfectant has been damaged, infected by a virus, or otherwise modified. The user is advised to obtain a new "clean" copy, and the user is not permitted to use the "damaged" copy. Although your description of a "bootstrapping" method is sound, I still hesitiate to permit users to use a modified copy of Disinfectant. It's simply too dangerous. The program may have been damaged in such a way that it can no longer function properly, resulting in failure to properly detect and repair infected files, system crashes, or other unexpected behaviour. The only safe thing to do in this case is refuse to permit the user to run the program. I put in the check for several reasons - to detect infections by viruses, to detect tampering by humans or other programs, and to detect damage of other kinds (bad disk copies, etc.). The check is quite thorough - I compute two different kinds of checksums of the entire resource fork of the program file (minus the part of the header that can vary legitimately from copy to copy). In fact, none of the current crop of Mac viruses can infect Disinfectant 1.1, due to other protective measures I've taken in the program. I've verified this both analytically and by experimentation. Thus, if you get the "damaged" alert it probably doesn't mean that Disinfectant has been infected, but rather that the copy has been damaged in some other way. In this case your bootstrapping process probably wouldn't do any good. Again, especially in this case, I don't want to let the user run the program - I know I've been modified, and I have no way to know how dangerous the modification might be. Another problem with permitting a modified copy of Disinfectant to be run is that I'd have to try to document the problem. I'm afraid that describing the details of your bootstrapping method to the average Mac user without causing massive confusion would be impossible. In general, I've tried to take a very conservative approach in Disinfectant, based on the "better safe than sorry" principle, and I think this is one of the program's virtues. Checking myself and refusing to run if I detect any kind of change is just one example of this principle. John Norstad Northwestern University jln@ancs.nwu.edu