Path: utzoo!censor!geac!torsqnt!lethe!yunexus!ists!helios.physics.utoronto.ca!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!usc!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) Newsgroups: comp.virus Subject: Hard Disk Protection (PC) Message-ID: <0005.9101111559.AA00331@ubu.cert.sei.cmu.edu> Date: 11 Jan 91 19:32:10 GMT Sender: Virus Discussion List Lines: 71 Approved: krvw@sei.cmu.edu >> From: Mr Gordon S Byron >> >> I am interested in finding a DOS antivirus program which would >> automatically scan disks as they are inserted. ideally, something like >> SAM II on the Mac. Could be done with something hooking the timer but why ? MACs execute code on the floppy when inserted but an IBM or clone does not (unless you try to boot from it). Under MS-DOS, a program must be requested for execution before it is loaded and that is when good anti-viral programs do their thing. >From: Carlos Jimenez >Subject: Re:Prevent hard disk infection? (PC) >>Is there any way to prevent a virus from infecting a hard disk when >>you cold boot with an infected diskette in drive a: ? (I should have >>written "when you unfortunately have left a diskette in drive a:" or >>"when you leave your computer unattended and someone boots from a >>diskette"). >> >>Paul M. Monat Lab Manager Phone: 613-564-6895/6500 >When a boot sector virus infects a disquette (with or without operating system ) >it can make a boot sector that can infect any hard disk using > - direct access to hard disk port > (I don't know any virus that use this method actually), They do not because many disks use different ports and access methods so one single method will not work well. Most hardcards and non-standard disks (EDSI, SCSI) use their own ROM extensions located at a different address so a virus cannot tell just where to look (incidently, a similar reason is why DOS viruses do not fare well under unix or OS/2). > - BIOS Int 13h Function 03 (Write sector) > (like Stoned) Yup > - DOS Int 26h (Write absolute sector). > (like Bouncing Ball, Boot sector infectors cannot use this since Int 26 is not there until after DOS loads (and usually goes through Int 13 ultimately as do most of the Int 21 functions that do disk access anyway). >The third method of infection has a solution using software. If you >clear the partition table of your hard disk, the DOS can't recognize >the hard disk (like it hasn't low level format), and Int 26h calls >will fail. For a sucessfull boot from hard disk you must change the >original bootstart routine by another, that writes the original >partition table and then reads the boot sector of the active partition >and execute it. You must include a program that clears again the >partition table (I have a driver in CONFIG.SYS) This is what I have been playing with except that the copying of sectors is a crude way to do it - a custom partition sector either not containing the partition table or with an encrypted table is much more effective. You can also check for certain things like a hooked Int 13 very easily since you are dealing with the bare BIOS at this point - something impossible from either CONFIG.SYS or AUTOEXEC.BAT. Another plus is that you can do many other things from here like prevention of hard disk formatting, partition table corruption, and passing of clean system parameters to the rest of the anti-virus program invoked later. and may have just found a nice 69 Grand Prix, whee, Padgett