Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!ames!coherent!dplatt From: dplatt@coherent.com (Dave Platt) Newsgroups: comp.sys.mac.misc Subject: Re: A modest proposal... Summary: I think it's a bad idea, for the reasons stated Message-ID: <88864@coherent.coherent.com> Date: 21 Nov 90 02:20:04 GMT References: <1990Nov13.112340.13107@warwick.ac.uk> <2274@key.COM> <10490@ur-cc.UUCP> <1990Nov19.033747.29163@ux1.cso.uiuc.edu> <27013.27483646@kuhub.cc.ukans.edu> Reply-To: dplatt@coherent.com (Dave Platt) Followup-To: comp.virus Organization: Coherent Thought Inc., Palo Alto CA Lines: 102 In article <27013.27483646@kuhub.cc.ukans.edu> mlab2@kuhub.cc.ukans.edu writes: > Here's a dilemna... Consider an anti-virus virus... A "travelling" virus > eradicator occurred to me (as it has probably occurred to others). Indeed it has. This topic has been discussed at some length in the comp.virus newsgroup (and I'm redirecting followups to that newsgroup, as it's really the appropriate place for discussions of this sort). In fact, it has been tried at least once. The originally-discovered variant of the nVIR virus was highly destructive... it deleted randomly-chosen files in the System folder. One user who discovered it, modified it to create a "phage"... which would detect the fact that applications were infected with the destructive nVIR and would overwrite them with a copy of itself. The "phage" was successful... the file-destroying variant of nVIR appears to be extinct. The phage is still with us... it's the nVIR you've been having so much trouble with. > It would not require the user to "manually" check their disks. It would > check to see that no more than one copy of itself resides on a disk. It > would have an expiration date (read off the Mac clock - say, 1992) at > which time it would erase itself. It would be small (say, less than 10K > if possible). It would not attatch itself to applications or files > (perhaps it would simply make itself invisible - a lame camouflage, but > sufficient considering the users it is targeted to serve). Ummm... if it doesn't infect applications or files, how will it propagate itself? Repairing a damaged application "on the fly" is a very difficult task. Viruses can modify applications in quite a few different ways. Virus-repair programs are, one and all, a maze of twisty little special cases, all different. The thought of embedding all of these into an INIT makes my skin crawl. And in 10k bytes? I think not. John Norstad's Disinfectant INIT is roughtly 5k... and it's a tightly-coded assembly-language routine which simply detects viruses and makes no attempt to repair the damage they've done. There's no way you'd get a solid repair facility into 10k bytes. > Problems? The ethical one of course. That is, "No program or code > shall copy itself from one medium to another without the consent, > knowledge, and approval of the user." Yup. Note the fact that the phage nVIR is still causing problems for many users. These users have a right to be thoroughly peeved if nVIR causes problems on their machine... they did not ask to receive this "help". > The only other problem I foresee > is one of poor programing - incompatibility with existing systems, > software, or machines - and incompatibility with future versions of > systems, software and machines. This is a much bigger problem than you perhaps realize. Ensuring full compatibility with all existing systems, applications, INITs, cdevs, etc. is extremely difficult. It's hard enough for the people who write full-fledged antiviral INITs and applications to achieve... note how frequently these products have been revised. It's probably impossible to achieve in the first version of any antiviral INIT. Ensuring full compatibility with all _future_ hardware, system software, applications, INITs is almost certainly impossible. Ensuring that the anti-virus-virus could cope adequately with as-yet-undiscovered viruses is _certainly_ impossible. And it's probably impossible to recall a defective self-propagating "anti-virus". If it turned out to be significantly defective, you'd have to release a modified version of the anti-virus, which would do everything the original version does, as well as find and destroy the defective version. > A final thought - the possibility that > someone with less benevolant intent would modify it to destructive ends. Yup. The odds are too high to risk it. And, from the point of view of the end-user (whether knowledgeable or ignorant), an "anti-virus virus" which makes even a slight mistake when repairing a file, or which interferes with a system in even a small way, is no less destructive than a deliberately-malicious virus. Good intentions do not excuse ill-considered actions. Would I trust such an anti-virus virus? Not on a bet! I'd remove it from my system ASAP... and I'd bet that every current freeware or commercial anti-virus package would be revised to smoke out and vaporize such a beast. And I'd predict that legal action would very probably be taken against the author of the anti-virus-virus, as soon as his/her name became known. Please, kids... do NOT try this at home. Or elsewhere. It's an idea which would cause us all far more trouble than it would save us. If you want to spend effort fighting viruses, do it by educating your fellow-user... pass around copies of Disinfectant! Try lobbying vendors to include better virus-protection features in their products and to write-protect the master diskettes they ship.