Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: 71435.1777@CompuServe.COM (Bob Bosen) Newsgroups: comp.virus Subject: Re: Products for detecting Viruses Message-ID: <0009.9011191418.AA28547@ubu.cert.sei.cmu.edu> Date: 16 Nov 90 16:56:33 GMT Sender: Virus Discussion List Lines: 58 Approved: krvw@sei.cmu.edu In volume 182, Johnathan Vail refers to my company's product "SafeWord VIRUS-Safe", stating "This technique seems to be a good one for screening for *propogation* if viruses on a system or network." He then asked me some questions, which I hereby answer as follows: >Q: This doesn't detect the program that is spreading the virus, only >the ones that have been subsequently infected. Correct? A: Correct. The information necessary to identify the offending virus is stored in a separate "audit trail" file that records the before-and-after file sizes, before-and-after signatures, date and time when signatures were verified and date and time when changes were detected, and also a record of when the user was notified of detected changes and how the user decided to handle the situation. The intent here is that the audit trail file will help a virus troubleshooter make a quick and accurate determination of what has caused the problem, when it entered the system, and how far it has spread. >Q: Does this provide any protection from attacks on COMMAND.COM, boot sectors or general attacks through DOS or BIOS? A: Yes. Also on IBMBIO.COM (and functional equivalents by other names), IBMDOS.COM (and functional equivalents by other names), partition tables, any normally unused sectors that usually reside physically adjacent to these items, the "leftover" bytes between the ends of these items and the clusters containing them, etc. >Q: Are there programs that legitimately modify themselves with various defaults and setup that can trigger the virus detector? A: Yes. Although these are fairly unusual, they do exist and we handle them simply. Whenever a change is detected in a file, we open up a window and ask the user if they know of a good REASON why the change in the file's signature should be authorized. We suggest the possibility of a configuration change or update since the date when the previous signature was calculated. If the operator indicates that the changed signature is expected, then we record the operator's comments in the audit trail file, update the corresponding file signature, and proceed. We have found that the resulting audit trail paints a very accurate and comprehensive picture of the integrity of the system, and any patterns of infection are quickly deduced by a virus-knowledgeable person that examines the audit trail file. This provides valuable guidance to a virus expert armed with the latest from Skulasen or McAfee. (Remember, this is COMMERCIAL software, not shareware or public-domain. It is intended for use in large populations of MS-DOS machines as an integrity check, in support of a group of virus experts armed with virus-specific removal tools.) - -Bob Bosen- Enigma Logic Inc. 2151 Salvio Street, #301 Concord, CA 94565 USA Tel: (415) 827-5707 FAX: (415) 827-2593 Internet: 71435.1777@COMPUSERVE.COM