Path: utzoo!attcan!uunet!wuarchive!psuvax1!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: p1@rlyeh.wimsey.bc.ca (Rob Slade) Newsgroups: comp.virus Subject: Anti-virus Plus (PC) Message-ID: <0008.9012101454.AA21256@ubu.cert.sei.cmu.edu> Date: 7 Dec 90 22:52:29 GMT Sender: Virus Discussion List Lines: 29 Approved: krvw@sei.cmu.edu I tend to use Word Perfect's "Files List" feature to move files around on the disk, and to make up floppies. I was doing just that, when I got a message that I had been "running an infected file. PREVENT1 has removed the infection." This was a little odd, since Word Perfect is one of the commercial programs that does it's own self check. Not proof against a stealth virus, of course, but still, it would be an unlikely candidate for infection. PREVENT1 had dumped me back at the DOS prompt, so I did a quick F-SYSCHK. Nothing. I F-FCHKed, SCANned and VPCSCANned the WP51 directory, with no results. (VPCSCAN is the scanning portion of Virex-PC, written by Ross Greenburg of Flu-Shot fame. Let me say in passing that it is *FAST*.) Then I got to thinking. One of the files I had been trying to delete was a .COM file. So I tried it again. Same result. I tried deleting a few other types of files. No problems with anything but a .COM or an .EXE. I got sneaky and renamed MOVE.COM to MOVE.TXT. PREVENT1 didn't like that either, so it's pretty sneaky itself. PREVENT1 does not interfere with PCTOOLS deletion of program files, and I don't know what the difference would be, although I assume PCTOOLS would use a "deeper" call to do it's deletions than WP would. So Antivirus Plus is making some assumptions, generally valid, about what some programs should be doing with other program files. A way to catch unknown viri, perhaps, but it may interfere with operations you want to do if, like me, you use programs for things they were never meant to do. :)