Path: utzoo!attcan!lsuc!maccs!cs4g6ag From: cs4g6ag@maccs.dcss.mcmaster.ca (Stephen M. Dunn) Newsgroups: comp.sys.ibm.pc Subject: Re: .COM and .EXE files Message-ID: <254A1CA0.5798@maccs.dcss.mcmaster.ca> Date: 28 Oct 89 21:39:43 GMT Reply-To: cs4g6ag@maccs.dcss.mcmaster.ca (Stephen M. Dunn) Organization: McMaster University, Hamilton, Ontario Lines: 39 Fridrik Skulason writes: $>andrew gray writes: $>$would be any way to fool MS-DOS (or command.com) into using other extenders $>$for executable files, and ignoring COM and EXE altogether. $>$ Seems to me that this would add a small modicum of protection against $>$trojans or other programs that corrupt executable files. $Another problem is that this will not provide much protection. You will be $protected against some viruses, in particular so-called "direct-action" $viruses, that search the disk for new files to infect, but this will not $provide any protection against viruses that stay resident, and infect programs $as they are run. This is true ... does anyone know the rough proportion of viruses that search for files to infect against those which infect programs that you run? $Also, a virus could easily find (and infect) COMMAND.COM, even if it has $been renamed, just by checking the COMSPEC variable. Yes, but don't forget that every time you add some complexity to a program, you add to its size. For a virus, size is a fairly important characteristic. The size cost of adding checks for the COMSPEC variable is not too great; however, if you look at all of the nifty things that one can do to try to confuse viruses (changing file attributes, renaming your files if it works, etc.), a virus which tried to defeat all such mechanisms (or even many of them) would soon grow pretty big, and would then likely have to specialize in infecting only larger .COM or .EXE programs to decrease the likelihood of detection - if you suddenly found that the ASK utility you may use for asking questions in batch files grew from 509 bytes to 8.3K, you'd become suspicious pretty quickly. (BTW, if anyone wants such a program, e-mail me a note saying you want ASK.COM ... this one is public domain and guaranteed free of infection when it leaves my mailbox) -- Stephen M. Dunn cs4g6ag@maccs.dcss.mcmaster.ca = "\nI'm only an undergraduate!!!\n"; ************************************************************************** ... but I'm too full to swallow my pride ...