Path: utzoo!utgpu!watserv1!watmath!att!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!ncar!gatech!rutgers!cbmvax!cbmehq!cbmger!peterk From: peterk@cbmger.UUCP (Peter Kittel GERMANY) Newsgroups: comp.sys.amiga Subject: Re: We need a new virus killer! Message-ID: <598@cbmger.UUCP> Date: 28 Nov 90 09:27:38 GMT References: <1836@kielo.uta.fi> Reply-To: peterk@cbmger.UUCP (Peter Kittel GERMANY) Organization: Commodore Bueromaschinen GmbH, West Germany Lines: 45 In article <1836@kielo.uta.fi> ahonen@kullero.uta.fi (Anssi Ahonen) writes: > >We need a new virus killer program. A program designed to check reset-vectors, >interrupt-vectors, resident libraries, disk-validator and executables. This is a permanent issue in the war virus programs against anti-virus programs: If we had a STANDARD anti-virus program, then every virus programmer could train his virus to fool this checking program. So you will NEVER have ONE all-purpose and all-time-valid anti-virus program. But most of your wishes can get satisfied already. Every virus that infects an existing file (be it library or executable), is detectable through a good CRC checking program. (There is one on the fish disks, but I haven't own experience with it.) When a virus changed a file, the CRC program should notice that. And a "good" CRC program should add a feature like "configuration" that enables you to choose your own polynome for the CRC computation. Otherwise, if always the same polynome were used, a virus could outperform that by adding some checksum-like bytes to restore the CRC sum to the old value. But if the virus doesn't know about the mechanism details how the CRC is computed, it can't take any actions against it. So my attempt to such a program was to use a PD wordcount program, let it run on EVERY file on my HD (yes, also data files), store this check program and the result (long list of all files with paths included and their wordcount results) on a separate floppy disk, and when running this program again, I got a list of which files were new/deleted since last time and which files changed. So I at least get an alarm, when one of my executables or other system files was changed not intentionally. But this concept suffers from a different caveat that is the reason why I still don't use it regularly: 1. I use a wordcount program, where the checksum is NOT configurable (should code my own one), 2. the data file with the results gets so big it doesn't fit on a single floppy. So I still have to work on a way to compact this file considerably. I already have some ideas, but not the time to put them into code. So this is the way development should take for this kind of virus protection programs. The other kind still should check the system vectors in the Amiga RAM and floppy bootblocks. And there we can achieve some progress, too, sure. -- Best regards, Dr. Peter Kittel // E-Mail to \\ Only my personal opinions... Commodore Frankfurt, Germany \X/ {uunet|pyramid|rutgers}!cbmvax!cbmger!peterk